Browser extension which spies on our history and online data
What if we tell you that an extension you have downloaded to beautify the aesthetics of your web pages is actually hacking all your browsing data and could blackmail you for exposing it? It might sound scary but Stylish is an extension which works towards just that.
An extension for Chrome and Firefox web browsers, Stylish is a tool which offers you the facility to alter the appearance of the web pages you open. It changes the theme, adds certain styling elements and renders the UI in a different way. However, when a user avails the facilities of the Stylish extension, he/she inadvertently grants the browser history as well as some other personal information which could be misused.
The malicious mechanism is said to have been inducted in the browser in January 2017 when SimilarWeb firm acquired the ownership rights of it. However, the spyware is present only in Chrome browser since January last year while Firefox received in it March 2018.
When a user downloads and starts using Stylish, the extension sends the browsing history back to its SimilarWeb server. This data is sent along with a unique identifier. All the online actions of a user get accumulated in a single profile. The unique identifier gets connected with a login cookie which helps the extension server track your movements on various websites.
The Stylish extension does all the spying and hacking through links which users access for doing various activities, say resetting password. The links which we click on in our email for resetting a password, Stylish perhaps barges in such resetting processes through links and gets access to the accounts.
Stylish has around 2 million users registered on its platform and there are chances the data of all those users may have gotten fetched through the spyware. In this world of cybercrime and hackers, it is extremely important to investigate a bit about every tool or software we utilise. However, the smart mechanism of platforms such as Stylish is not easy to doubt on.
The threat has been made public by a well-known software engineer Robert Heaton on his blog.