Stylish Browser Extension Has Been Stealing Your Browser History

The Stylish browser extension is used to change the look of your websites. The extension also gave websites the ability to update their looks with with a brighter theme or a darker look and even lets you add some manga pictures. But now it has emerged that there is a darker side to this useful tool.

It has been reported in Robert Heaton’s blog that the Stylish browser extension has been logging the internet activity of 2 million users. The extension is sending the browser activity to the company’s servers with a unique user ID.  This unique ID can be linked to a login cookie which differentiates different users so that the user’s browser history can be mined. If the user creates an account in the userstyles.org that unique identifier can be used to link the user devices multiple browsing sessions into a cookie. The extension started collecting data from January 2017 when it was sold to a company named SimilarWeb.

SimilarWeb company’s privacy policy at the time stated that they only collect the information that is non-personal but that is not the case in the browser extension. The company may not have evil intentions but it is not good if the company didn’t have access controls that are strong enough to prevent the theft of the data being collected from unsuspecting users.

There some URL sessions that users visit that may contain some of the passwords reset tokens in the URLs itself which might be a problem because if the user didn’t use the token or there is a case where the token doesn’t expire it may lead to big security vulnerabilities if the data is leaked.

When Robert passed the request using Burp Suite he has noticed a huge number of requests going to the api.userstyles.org and the URLs are encoded with the Base64 Encoding which can be decoded easily with just a decoder. When Robert decoded the Base64 he found another base64 string and when encoded the query string again he was able to find a lot of session data and browser data that has been transferred to the company’s servers.

SimilarWeb has yet to comment on the matter.

Take your time to comment on this article.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil