Web extension has been exfiltrating data from end users since 2017.

Popular browser extension Stylish has been exposed as being “riddled with spyware”, allowing it to track the internet history of its users.

The extension, which allows a user to change the appearance of web pages, has been recording users’ page visits, according to one developer.

And despite the news only coming to surface now, the owners of the extension have been reportedly tracking end users since 2017.

The original owner of Stylish sold the product in August 2016, the buyer then sold it in 2017 to company SimilarWeb, which collects and analyses website traffic.

It was at this point that the extension code appears to have been modified to allow the company to send users’ browsing data to SimilarWeb servers.

And although the company claims it only stores ‘non-personal’ data, skepticism remains high.

It was first reported back in January 2017, when Stylish fans voiced concerns how their privacy was protected while using the add-on.

But it was once again brought to the attention of the cybersecurity community this week by software engineer Robert Heaton, who detailed his discovery of the issue in a blog post.

He wrote: “Stylish sends our complete browsing activity back to its servers, together with a unique identifier.

“This allows its new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie.

“This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.”

After investigating, Heaton noticed that Stylish was exfiltrating all of his browsing data – including the full URLs of pages he was visiting, and his Google searches.

The issue has now gained traction online, with calls from those in the infosec community for Stylish to be pulled.

But it should be noted that there is an opt-out option available – and Stylish isn't the only company to collect customer data.

A previous statement from Stylish read: “In order to be fair and transparent with Stylish users, there is an easy-to-find opt-out from joining the marketing panel straight from the Stylish extension settings page, as described in the privacy policy.”

Heaton concluded: “SimilarWeb claims that they need to track every single website Stylish’s users visit in order to recommend them styles for the current webpage.

“This is a solution in search of a flimsy justification.”

He added: “Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.”

Track record

Stylish is not the first company found to have been scooping up users’ internet browsing data.

Last year, the gaming community was riled by the news that Steam Inventory Helper – a free extension for Steam – was monitoring all sorts of user activity, including every single HTTP request they make.

The developers behind Steam Inventory Helper later apologized for the move, stating that the new permission requirements were implemented to help them better understand their users.