Closed Bug 1472948 Opened 3 years ago Closed 3 years ago
Blocklist Stylish add-on - sends full page urls to remote server
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Build ID: 20180628175621 Steps to reproduce: The 'Stylish' extension was recently sold and the new company now logs all browser history. https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/ This likely also affects Firefox. The etxension is available on the extension store and also on https://addons.mozilla.org/en-GB/firefox/addon/stylish/?src=search has has 300K users. Actual results: Store my internet history Expected results: Didn't steal my internet history
Summary: Stylish extension is records all intrnet history and should be blocked / removed from extensions store / removed from FF → Stylish extension is records all history and should be blocked / removed from extensions store / removed from FF
Component: Untriaged → Blocklisting
OS: Unspecified → All
Product: Firefox → Toolkit
Hardware: Unspecified → All
Summary: Stylish extension is records all history and should be blocked / removed from extensions store / removed from FF → Stylish extension records all history and should be blocked / removed from extensions store / removed from FF
Summary: Stylish extension records all history and should be blocked / removed from extensions store / removed from FF → Blocklist Stylish add-on - sends full page urls to remote server
We decided to block because of violation of data practises outlined in the review policy.
Assignee: nobody → awagner
The block has been staged. Philipp, could you please review and approve?
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
I see, with this bug, that Stylish is blocked, and why. However, on ESR 52.8.1, the block incorrectly refers to the wrong bug for "more information". I have Stylish version 3.1.1 The URL for more information directs the user to: https://blocked.cdn.mozilla.net/i19.html That webpage refers to version 1.1b1 of Stylish, and a block request date of March 2011. It does not refer to this bug 1472948, rather to the old bug 621660 from March 2011.
(In reply to john ruskin from comment #4) > However, on ESR 52.8.1, the block incorrectly refers to the wrong bug for > "more information". I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1473194 for this as it might be an orthogonal concern to this bug.
The correct block page is https://blocked.cdn.mozilla.net/c635229f-7aa0-44c5-914f-80c590949071.html Which tells me "Why was it blocked? This add-on violates data practices outlined in the review policy." As a user that's not particularly helpful. You've just disabled a feature of the browser that I liked, and justified that with a vague mention of "data practises". That won't mean much to most users. Are we able to rephrase / expand that so your average person understands why they can't use Stylish any more? Additionally there is no suggested action, other than to live without the feature that the extension offered. Could we point users to https://addons.mozilla.org/en-GB/firefox/addon/styl-us/ which is a Stylish fork without the spyware?
Original reporter here: does this mean Stylish will get removed / cleaned from existing Firefox installations?
(In reply to mike.maccana from comment #7) > Original reporter here: does this mean Stylish will get removed / cleaned > from existing Firefox installations? It will be disabled, not removed. Users will get a warning though with a request to (optionally) restart the browser.
(In reply to Peter Wu from comment #8) Thanks Peter.
(In reply to Ian Thomas ('thelem') from comment #6) > Additionally there is no suggested action, other than to live without the > feature that the extension offered. Could we point users to > https://addons.mozilla.org/en-GB/firefox/addon/styl-us/ which is a Stylish > fork without the spyware? I don't know whether that is permissible, but users definitely will need assistance. There already are a number of "what's going on" threads on the Stylish forums, but many users may not know about this site: https://forum.userstyles.org/categories/stylish
According to the linked article, Stylish has been stealing browser history data since January 2017. Mozilla and the user community are apparently just finding out about this now, a year and a half later. The extension has been in the system, displaying the offending behavior, the entire time. I think there's a broader bug here, along the lines of "extensions can get away with malicious behavior for a long time without anyone noticing", or "it is possible and profitable to buy and maliciously monetize popular extensions", or even "extension developers don't get paid for their work and so have an incentive to sell out".
Thanks, people. (In reply to Peter Wu from comment #8) > It will be disabled, not removed. … No alert for legacy 2.1.1. This seems proper. Stylish 3.1.1 block-listed and disabled, 2.1.1 enabled : waterfox <https://new.reddit.com/comments/8wd5wu/-/> (In reply to Ian Thomas ('thelem') from comment #6) > The correct block page is > https://blocked.cdn.mozilla.net/c635229f-7aa0-44c5-914f-80c590949071.html I was directed to <https://blocked.cdn.mozilla.net/i1900.html>. I guess that the two URLs are synonymous. (In reply to jscher2000 from comment #10) > … a number of "what's going on" threads on the Stylish forums, … https://web.archive.org/web/*/https://forum.userstyles.org/discussion/67684/no-longer-available-on-amo captures the first.
Previous versions of Stylish for Firefox did not include this behavior. A recent version did, and that is why it was blocked. Stylus is an alternative, so feel free to recommend it to people. We are also in the process of providing more support to affected users. Please post any additional questions in our discussion forum: https://discourse.mozilla.org/c/add-ons
Than you everyone for the comments and inquiries you have made here, I understand this is an issue that brings up a lot of questions. At the same time, this is a bug tracker meant mostly for technical discussion around the actions taken. Therefore, I am restricting comments to this bug. If you have further questions, please follow the link to our discussion forums Amy posted in the previous comment. Thank you for your understanding.
Restrict Comments: true
We have pushed a Heartbeat message to Stylish users, giving them Styl-us as an option.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 3 years ago → 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.