This is a huge problem for the extension ecosystem in general. Who originally publishes an extension may not be the same entity that is pushing you updates in two years time, and there's no way as a user to know this.<p>I publish a few extensions [1] [2] [3] and have been contacted multiple times by companies asking to buy them for several thousand dollars. They told me the going rate was 0.20 USD per user. You can imagine what kind of deals are being made when the extension has a million plus users.<p>When pushed for exactly why they wanted to buy the extensions, which are in no way monetizable, they gave vague answers about "user insights". I can guarantee there will be many other major extensions that have sold out their users.<p>[1] <a href="https://chrome.google.com/webstore/detail/old-reddit-redirect/dneaehbmnbhcippjikoajpoabadpodje" rel="nofollow">https://chrome.google.com/webstore/detail/old-reddit-redirec...</a><p>[2] <a href="https://chrome.google.com/webstore/detail/break-timer/hklkdbpicdmlpoiellngedpejjkmapei/reviews" rel="nofollow">https://chrome.google.com/webstore/detail/break-timer/hklkdb...</a><p>[3] <a href="https://chrome.google.com/webstore/detail/reddit-comment-collapser/njmimaecgocggclbecipdimilidimlpl" rel="nofollow">https://chrome.google.com/webstore/detail/reddit-comment-col...</a>
I've gotten annoyed enough to just copy the source from most of my extensions (located at `~/.config/google-chrome/Default/Extensions/`), remove the update stuff from the `metadata.json` and load them as developer extensions so they never update.<p>It's easy enough to update them + audit the code when something breaks. The hardest part is downloading the new code (.crx) without installing it, I had to write javascript I paste into the console. StackOverflow can unzip a crx by striping the first 306 bytes.<p>I forked Stylish v1.5.2 a year ago before I heared of Stylus, but I've no need to to switch since the original extension was pretty good.
<a href="https://github.com/Zren/chrome-extension-stylish#fork" rel="nofollow">https://github.com/Zren/chrome-extension-stylish#fork</a>
As others have said, immediately switch to Stylus. While we're at it stop using Ghostery as well since they were bought by an ad company. Use Privacy Badger or a decent alternative (noscript + heavy/custom uBlock lists should work just fine)
I discussed this problem (in a bit inflammatory way) last month: <a href="https://news.ycombinator.com/item?id=17242003" rel="nofollow">https://news.ycombinator.com/item?id=17242003</a><p>It's particularly annoying, because I do have this Stylish extension installed (using css ::after rules to tag HN users)<p>EDIT: You can submit an abuse report when uninstalling a Chrome extension.
This reminds of the "WOT, Web of Trust" (haha) privacy issue in 2016: Reporters (disguising as business men) were offered data that includes the surfing habits of three million German citizens. This data was, at least partly, collected by the “Web of trust” (WOT) browser extensions. The reporters were able to use this data to identify the browsing habits of individual persons – including high-ranking German and EU politicians.<p>English: <a href="https://ocr.space/blog/2016/11/wot-browser-extension-collects-habits.html" rel="nofollow">https://ocr.space/blog/2016/11/wot-browser-extension-collect...</a>
Google needs to take action here. From requiring re-confirming permissions every time a significant privacy policy change is made, or just by nuking SimilarWeb altogether from the web App Store.
Always the same cycle.<p>1/ New great product is built. People love it.<p>2/ Once enough people use it, start monetizing in shady ways, annoying users just not too much or they leave.<p>3/ Very annoyed users switch to another product back to 1/
Most browser extensions seem to require access to one's browsing history and keystrokes, even for legitimate functioning. Is there any way to ensure that they do only what they claim to do, and don't abuse the permissions? (Apart from verifying the source code, because clearly, lines of junk code >> interested eyeballs).<p>For example, would it be reasonable to enforce that an extension only acts locally, and cannot communicate with any external server? (I guess allowing arbitrary local modifications essentially allows the extension to execute arbitrary javascript code, including communicating with arbitrary remote entities?)
For those actively using Stylish and needing to switch:<p>'"Stylus" is a fork of the popular Stylish extension which can be used to restyle the web. Not "ish", but "us", as in "us" the actual users. Stylus is a fork of Stylish that is based on the source code of version 1.5.2, which was the most up-to-date version before the original developer stopped working on the project. The objective in creating Stylus was to remove any and all analytics, and return to a more user-friendly UI. We recognize that the ability to transfer your database from Stylish is important, so this is the one and only feature we've implemented from the new version.' [1]<p>[1] <a href="https://add0n.com/stylus.html" rel="nofollow">https://add0n.com/stylus.html</a>
and <a href="https://github.com/openstyles/stylus" rel="nofollow">https://github.com/openstyles/stylus</a>
Tampermonkey seems to be a good alternative as well and is available for all major browsers.<p>Does anyone have information on if the Safari Stylish Addon does the same shady things? It's available in the official App Store and was approved by Apple it seems.
Just filed this Firefox bug: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1472948" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1472948</a>
Meanwhile a simple and open source bookmarking extension was taken down with no notice, no information (<a href="https://news.ycombinator.com/item?id=17440358" rel="nofollow">https://news.ycombinator.com/item?id=17440358</a>).
Well, shit. I installed this extension a few months ago, because <i>multiple</i> people HN recommended it.<p>Tried it out, but found a different way to restyle and adjust sites to my tastes (uBlock and custom Greasemonkey) that I found easier. Then forgot about it.<p>And now it turns out this thing has been slurping my Internet history for months.<p>No downvotes, nobody calling them on it, just happy oblivious HN users that carelessly install random browser extensions and then recommend them to other people. Urgh.
This has been going on for <i>years</i> and Google has done nothing about it. These days I don't use any extensions where a major organization's reputation doesn't depend on them not becoming spyware. Truly a shame; I used to get a lot of benefit out of extensions, including a similar one named Stylebot, but now I don't trust anything other than Adblock Plus and the React Developer Tools to not covertly become malicious.
report stylish to Google <a href="https://chrome.google.com/webstore/report/fjnbnpbmkenffdnngjfgmeleoegfcffe" rel="nofollow">https://chrome.google.com/webstore/report/fjnbnpbmkenffdnngj...</a>
Dark Reader (which generates dark themes dynamically) added support for static CSS so that style sheets could be migrated <a href="http://darkreader.org/blog/stylish/" rel="nofollow">http://darkreader.org/blog/stylish/</a>
Dangit - I just installed it yesterday to block Twitter's annoying timeline additions ("So-and-so liked such-and-such") which don't honor the account's word filter/blacklist. Any alternatives out there that are better?
10 months ago, I discovered and recommended <i>stylish</i> on a post titled: "Show HN: Make Medium Readable Again"[0]. I have only ever used it for a single site: medium.<p>It's times like these I wish I could go back and edit/update an old post with new info. I feel like I got stabbed in the back... which happens way too often in tech these days no matter how careful you are.<p>[0] <a href="https://news.ycombinator.com/item?id=15123638" rel="nofollow">https://news.ycombinator.com/item?id=15123638</a>
In what is certainly a complete coincidence, the Stylish Firefox extension threw up an "agree to our new TOS 'effective May 22, 2018.'" modal for me today..
It appears Firefox has already moved on this. Came home today and was warned that Stylish was an unsafe extension, and I can no longer find it listed as an available add-on.
I actually ran into this issue previously when for some reason I got a request on a `hidden` (very cryptic URL listed nowhere) diagnostic endpoint on one of our APIs.
I ended up identifying stylish as the culprit, at first I disabled the tracking option (which is opt out and probably violates GDPR), a few weeks later I installed stylus.<p>I also reported it around the same time and gave it a 1/5 star rating but google had no interest in the report it seems.
I've been lucky enough to have never had an extension installed when it was sold, so I don't know that this isn't already the case, but if it isn't, I believe it should be:
Whenever an extension changes hands (is transfered to another account), the user should be notified in the same way they would be if it requested new permissions. Along with a rule that accounts are non-transferable, of course.
tl;dr: Use Stylus [1]. Use Stylus. Use Stylus.<p>I guess there should be an addon that notifies users for any ownership changes to browser addons they use. Or is there?<p>[1] <a href="https://github.com/openstyles/stylus" rel="nofollow">https://github.com/openstyles/stylus</a>
Found same issue with Pricee the other day, not sure how to report: <a href="https://addons.mozilla.org/en-US/firefox/addon/pricee-search-engine/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/pricee-search...</a>
The culprit in question tried to do the same thing to a Voice Search Chrome extension in the past[1].<p>[1] <a href="https://twitter.com/sephr/status/1014240895095300096" rel="nofollow">https://twitter.com/sephr/status/1014240895095300096</a>
Ugh! After so many years, I now have to view a white-themed internet again. I forgot how painful and blindy websites are!<p>Pls redesign the whole internet to be dark themed, so we dont need add ons like this to fix the world. Thanks!
So it boils down to trust anyway. No way a code signing certificate can impose that trust. At the end of the day, it all goes back to human stance towards other beings in this world and own dignity.
Since "youtube-dl does not include support for services that specialize in infringing copyright", is there a fork, or addition, without this restriction?
I wonder if Stylish is also able to data-mine the websites you visited while in incognito mode, since extensions don't work there.<p>Does anybody have an idea?