Stylish turns out to be spyware
Recently the add-on Stylish was removed from Chrome’s, Firefox’ and Opera’s web stores. It turns out that there’s actually been spyware lurking in the code since January 2017, under its new owner SimilarWeb which bought Stylish in October 2016. This code has been sending off all browsing activity such as full URL’s (so also authentication tokens etc, everything that got sent as a GET request) as well as search information. When you’re logged in to Userstyles.org, the add-on would also send out your session cookie for this website as well, allowing correlation between browsing habits and real-world identities.
At HackingVision we strongly recommend that you uninstall Stylish if you still have it, and change passwords for any website that passed authentication data in its URL that may still be usable to establish a session. Luckily there’s a drop-in replacement called Stylus available. This one – for now at least – respects your privacy. However, constant vigilance is key.
Update: 3/02/2019 (JavaRockstar)
Stylish is back in Firefox add-ons and Chrome Web Store. This time they are a lot more upfront in there plans to track their users by adding privacy opt-in to the new version of the Stylish add-on that requires users to allow Stylish to collect anonymized browsing behavior data before they can start using styles.
Should you use it again in 2019 ? probably not! Considering the controversy surrounding this add-on in the past containing spyware and tracking its users every move. We advise all our visitors to use an open source alternative called Stylus that does not contain spyware and track its users.
From a security stand point if you don’t need browser themes and your happy with the current design of your browser install neither.