(Credit: Seishiin/UserStyles.org)

The Stylish browser add-on for Mozilla Firefox and Google Chome has been indiscriminately logging and reporting users' browsing activity since January 2017, as software engineer Robert Heaton reported on Monday. Google and Mozilla have removed the add-on from their catalogs.

Stylish has been a popular plug-in among web developers, designers, and power users. But the increased scrutiny caused by Europe's recent implementation of General Data Protection Regulation has apparently put Stylish under the microscope.

SEE: How to beef up your Chrome and Firefox security in 2018

The Stylish add-on lets users apply aesthetic customization to specific websites. This customization is known as a cascading style sheet (CSS), which users can create themselves or download from the Stylish community. These style sheets are frequently used to increase legibility, change the color scheme, or to filter out parts of the page that the user isn't interested in seeing. This style sheet doesn't affect how other visitors view the site; it only happens within the browser of the user who has installed Stylish.

According to Heaton, the Stylish add-on not only logs and reports every website you go to, it also attaches a "unique identifier" to that activity. He adds, "This allows its new owner, SimilarWeb, to connect all of an individual's actions into a single profile." This sounds a lot like the psychographic profiling at Cambridge Analytica that was reportedly based on unauthorized data collection of tens of millions of Facebook users during the 2016 presidential election.

While SimilarWeb's privacy policy states that it doesn't collect personally identifiable information, Heaton points out that an analyst can still infer who you are based on the list of website URLs that you've visited: "De-anonymization using IP addresses and the specifics of a user's browsing history is often straightforward. Who do you think that person visiting https://www.linkedin.com/in/robertjheaton/edit might be?"

Heaton also points out that many URLs can contain unique strings of numbers and letters that are only supposed to be viewable by the user -- such as those for medical records, password reset pages, and even logging into a website. These strings are supposed to be active only temporarily, but someone who can access these logs when they are still fresh could use them to access highly private information.

FOLLOW Download.com on Twitter to keep up with the latest app news.

Firefox desktop users who no longer want this add-on can press Ctrl+Alt+A (Shift+Command+A on Mac) to open an alphabetical list of their add-ons. The Disable button will shut it down but not remove it. If you press the Remove button, you'll need to search for the add-on if you change your mind later. However, there's a third-party alternative called Stylus that you may want to look into.

Chrome desktop users still do not get a keyboard shortcut for their addons list; instead, you must click on the menu button in the upper right, select More Tools, then click on Extensions. Clicking on the button in the lower right corner will disable it. Or, click Remove to nuke it.

With either browser, you may have to restart it for add-on removal or disablement to fully take effect.

Takeaways

  1. The Stylish browser plug-in has been mining users' browser histories for commercial purposes. Always check the permissions that a browser add-on asks for, before you install it. Just because an add-on should have nothing to do with data collection doesn't mean that it will keep its hands off your browsing history.
  2. Users who want to protect their privacy but still want Stylish's functionality should check out Stylus instead.

Also see

Tom is the senior editor covering Windows at Download.com.