The Stylish browser extension is used to change the look of your websites. The extension also gave websites the ability to update their looks with with a brighter theme or a darker look and even lets you add some manga pictures. But now it has emerged that there is a darker side to this useful tool.
It has been reported in Robert Heaton’s blog that the Stylish browser extension has been logging the internet activity of 2 million users. The extension is sending the browser activity to the company’s servers with a unique user ID. This unique ID can be linked to a login cookie which differentiates different users so that the user’s browser history can be mined. If the user creates an account in the userstyles.org that unique identifier can be used to link the user devices multiple browsing sessions into a cookie. The extension started collecting data from January 2017 when it was sold to a company named SimilarWeb.
There some URL sessions that users visit that may contain some of the passwords reset tokens in the URLs itself which might be a problem because if the user didn’t use the token or there is a case where the token doesn’t expire it may lead to big security vulnerabilities if the data is leaked.
When Robert passed the request using Burp Suite he has noticed a huge number of requests going to the api.userstyles.org and the URLs are encoded with the Base64 Encoding which can be decoded easily with just a decoder. When Robert decoded the Base64 he found another base64 string and when encoded the query string again he was able to find a lot of session data and browser data that has been transferred to the company’s servers.
SimilarWeb has yet to comment on the matter.
Take your time to comment on this article.
Latest posts by Harikrishna Mekala (see all)
- A Serious Security Flaw Found in LibSSH - October 19, 2018
- Flaws in Branch.io Affected Over 685 Million Users - October 17, 2018
- Microsoft Store Has Been Hosting an Ad Clicker Disguised as a Google Photos App - October 16, 2018