Stylish 3.1.2 and greater


(Graham Perrin) #1

I don’t know whether there was a 3.1.2, but:

  • I caught a copy of non-blocked 3.1.3 before distribution ceased
  • I guess that there’ll be an alternative distribution channel for 3.1.3 or greater in due course (via the upfront blue Install for Firefox button and Stylish for Firefox footer at https://userstyles.org/, I guess).

Would anyone like to look at the code of 3.1.3, to tell whether it should be block-listed?


(jscher2000) #2

Do you want to post a copy of it somewhere (e.g., Dropbox, Google Drive, Microsoft OneDrive)? Unless something changed, it’s available for redistribution under GPLv3.


(Graham Perrin) #3

Sorry for not replying sooner. I wanted to not encourage redistribution.

Stylish 3.1.2

Not block-listed.

Stylish 3.1.3

Stylish 3.1.3 served from addons.mozilla.org (AMO) · Issue #8825 · mozilla/addons-server

From https://mobile.twitter.com/grahamperrin/status/1017407077927415808:

(exercising caution) I shouldn’t make it available publicly …

Not block-listed.

Stylish 3.1.4

Not block-listed.

From a copy of a blocklist.xml that was automatically updated at 05:55 this morning:

<emItem blockID="i1900" id="{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}">
  <prefs/>
  <versionRange minVersion="1.1b1" maxVersion="1.1b1" severity="1"/>
  <versionRange minVersion="3.0.0" maxVersion="3.1.1" severity="1"/>
</emItem>

Stylish 3.1.5

https://addons.mozilla.org/addon/stylish/versions/

NB

I do not promote use the product.

Just raising awareness of:

  • availability
  • the scope of the block.

(jscher2000) #4

Seems 3.1.5 has a new disclosure/consent page upon installation. You have to hover the little “i” icons to get a decent explanation. What exactly it does someone (else) will need to study/verify.


(Brian Peiris) #5

Stylish was disabled (but still installed) in my addons due to the block that was put in place. I neglected to remove the addon entirely.

Today I found it re-enabled itself. These options for sending (supposedly de-identified) telemetry were enabled by default:
image


#6

Stylish 3.1.5 still sends full URLs for every website you visit. The interface is highly deceptive. Do NOT install this malicious extension, especially since there is a functionally equivalent add-on that respects your privacy: Stylus.

When opening the Stylish icon, a message with an opt-in request is shown followed by an “OK” button. It does not look like an opt-in request (“Agree” [with terms]) at all, but a notification (“OK” [to dismiss]):


Clicking “OK” silently enables tracking, this cannot really be considered consent I suppose.

Once the setting is enabled (after installation, through this pop-up or preferences), it will track all website visits again (exactly the same way as was done before in version 3.1.1). If you are curious, this is the data that is sent to the third party (userstylesapi dot com) for every webpage you visit:

vmt=3
lav=21
wv=1
gr=3.1.5
pxe=5t277kc6l0r7iio7b306f5h6hri
ra=###{"t":"1532108199557","l":0,"ls":0,"ds":"","dfg":0,"s":0,"g":0}
gp=http://example.com/user/login?username=alice&token=ehdsjgfjs#password=hunter2
ver=http://example.com/
st=1532108838342
ch=9
di=ac300e127

As you can see, this report in fact contains very personal identifiable information. The option:

[ ] Send de-identified browsing data to Stylish to access style suggestions through the toolbar menu

is more accurately described by:

[ ] Send the full URL (possibly containing personal information) to Stylish. This enables style suggestions through the toolbar.

If you would like this company to know every website you visit (which may include your address, location, name, date of birth, family/friend/business connections, etc.), install this extension. Otherwise, you are better off uninstalling Stylish and warning your peers to stay away from this add-on.


Concern about how add-on auto-review can hurt user's trust to Firefox
(Brian Peiris) #8

Looks like Stylish has once again been removed from AMO. The extension’s page now results in a 404 :+1:


(Graham Perrin) #9

It’s back, at 3.1.8.


(Ian Thomas) #10

What is causing stylish to appear and then disappear again? Presumably any addon that has been removed / blocked needs to be manually reviewed before it can be re-added? There would be no way for an automated review to ensure that the reported problems had been addressed.

Assuming a manual review has happened, does that mean that Mozilla are now happy with the practises of this add on? From what I can tell Stylish have changed their privacy policy so the data collection is now documented (they state, in many words, that they collect visited URLs and produce aggregated reports of them).

The AMO policy at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews#Data_Disclosure_Collection_and_Management states add-ons should use “data only for the purpose for which it was originally collected.” In the add-on’s UI the stated purpose is to recommend styles for the current page, so surely the new privacy policy doesn’t comply with Mozilla’s policies?


(Jorge) #11

If the add-on is available after it was taken down, it’s because they issues were resolved with the reviewer team.