It is time to get rid of Stylish
The Stylish add-on and the linked userstyles.org repository for website styles changed ownership twice in the past years. The original owner sold Stylish back in October 2016 and the new owners of Stylish sold it again to the current owner SimilarWeb.
Stylish is a handy extension that you can use to apply custom CSS to websites. You may use it to change colors, remove elements, or add elements to sites to adjust them to your liking. You can remove advertisement, the comment section on YouTube, or turn Google Search's white background into something more eye pleasing.
Stylish collecting browsing data
The switch to the new owner of Stylish had massive privacy implications. SimilarWeb is known for its analytics offerings and it appears that the company collects browsing data from Stylish.
Users who install Stylish are automatically opted-in to sending anonymous data to Stylish. Stylish does include an option to opt-out of that in the extension options.
Back in 2017 we mentioned that it is unclear what data gets collected by the extension as it is not made clear in the privacy policy.
Robert Heaton analyzed Stylish's data collecting recently and discovered that the extension sends a user's complete browsing history back to Stylish servers. The data is linked to a unique identifier so that all of a user's browsing history can be linked together.
It is even worse for users who have an account on userstyles.org, a property owned by SimilarWeb, as Similarweb could link accounts to the browsing history.
Even if that is not the case, it is problematic even if SimilarWeb claims that it collects anonymized data only. One of the cases where this is problematic is when sites add information to the URL directly. Heaton mentions URLs that contain profile names, tokens, and URLs that use obscurity to protect data from third-parties.
Stylish makes a number of connections to api.userstyles.org whenever you connect to web resources. While you could think that this is done to return existing userstyles for these web resources, Stylish does transmit more information than it needs to for that functionality.
Heaton discovered that Stylish was transmitting obfuscated data to the userstyles address. He managed to decrypt it to find out that Stylish was submitting all browsing data to company servers. In other words, Stylish submits the full URL of any site you open in the browser the extension is installed in and Google search results as well.
SimilarWeb highlights what it collects in the extension's privacy policy:
From the Stylish desktop browser extension:
Standard web server log information (i.e., web request) as well as data sent in response to that request, such as URL used, Internet Protocol address (trimmed and hashed for anonymization), TabID, HTTP referrer, and user agent; and
Search engine results page data (keyword, order/index of results, links of results, title, description, and ads displayed).From the Stylish mobile app:
Standard web server log information (i.e., web request) as well as data sent in response to that request, such as URL used, Internet Protocol address (trimmed and hashed for anonymization), HTTP referrer, and user agent;
Search engine results page data (keyword, order/index of results, links of results, title, description, and ads displayed);
Device ID (anonymized and/or de-identified using irreversible encryption and/or hashing);
Browser type, operating system and Mobile Network Code;
Device model name, device screen size and whether the device is rooted;
All web connections; and
Information regarding installed applications and their use (names, app IDs, versions of installed apps, installation and update dates, whether they are system apps, which apps are used, duration of use, whether the apps are on the home page);
If you use Stylish, at the very least disable the collecting of data in the extension settings.
Alternatives?
We reviewed Stylus in 2017 which is a fork of Stylish that does not include the analytics component. You can install the extension and use it to load userstyles.
You may also use Chrome's overrides tool to make permanent changes directly to websites.
Now You: do you use Stylish?
Useless addon anyway.
Useless? Considering I have 25 styles installed and 18 of them are currently enabled “useless” looks to me to be the wrong adjective. :)
Stylish was good back in the day (WAY back in the day) before stylus. I dropped it like a bad habit as soon as it started to get, for lack of a better word “corrupted”. I used personal solutions for a while, then used stylus after I found it to be free of that bloat that plagued stylish. You couldn’t pay me to use Stylish now, it is a worthless piece of junk, definitely useless when we have Stylus. I mourn for anyone who actually gave money to those crap companies.
With Pale Moon I’ll continue to use “Stylish 2.0.7” with my own themes until the end, installed with “Moon Tester Tool” to block unwanted update.
For Pale Moon a fork of Stylish 2.0.7 has been created, named Stylem.
Announced here:
https://forum.palemoon.org/viewtopic.php?f=46&t=19443
Get it from here:
https://addons.palemoon.org/addon/stylem/
Yes thanks. Now I only have one add-on not compatible with Pale Moon 28 > CustomButtons{0.0.5.9pre1}, and unfortunately my prefered theme FT Deepdark :(
not much of a surprise, anything that sells out turns to garbage soon after. thankfully Stylus takes its place well enough.
Stylus ftw !
Before these issues I used Stylus to get rid of Google’s nags/tips that ask you to use Chrome and such.
Then I dumped Stylus when they sold out and I stopped using Google services, except for their search.
Now to get rid of the recent nags on Google’s search I use the “I don’t care about cookies” extension for Opera.
If need be I will try Stylus, thanks for this tip Martin.
Opps, I meant to say “Before these issues I used Stylish.. Then I dumped Stylish..”
The original owner sold Stylish in 2016, not 2010.
Also, FYI: for pre-FF57 browsers (e.g. Pale Moon, Basilisk, Waterfox, SeaMonkey etc) there exists a fork of the legacy Stylish: http://addons.palemoon.org/addon/stylem/
Oh well I missed this one, working great thank you :)
Thanks! I wasn’t aware of this fork. Seems to be doing what it should in both Pale Moon and Waterfox.
After having been a Stylish user for years I switched to Stylus when Firefox Quantum appeared, first because of serious problems with Stylish ported to a Webextension. It was a coincidence that at the same time buzz was starting to evoke the new Webextension’s affinity for peeking.
Not one problem with Stylus, clean, compact, fast.
I don’t use stylish anymore. I do however use styles from userstyles.org with TamperMonkey in Edge.
There’s a small link “Install style as userscript” just above the feedback button, I click that one.
But is TamperMonkey safe?
I had tried TamperMonkey before switching to Stylus and I remember it included opt-out options in the scope of privacy, cannot remember exactly in what conditions. It’s heavy, too heavy IMO for a style editor when Stylus is lite and free of dozens of options found in TamperMonkey which are unused for most of them by most of us (I guess).
@Anonymous
Probably, but Violentmonkey and Greasemonkey are available. Either of those are better options.
@John. Last time I tried Violentmonkey and Greasemonkey (web.ex) in Firefox 60, unfortunately most of my scripts have stopped working. That’s why I do not use Firefox.
You can use Stylus is open source and it works on Opera, firefox and chrome.
https://github.com/openstyles/stylus
Thank you! This is valuable article.
It’s been removed from AMO until further notice:
https://www.reddit.com/r/firefox/comments/8vq7cx/stylish_browser_extension_steals_all_your/e1pi7h1/
Violent Monkey on Chrome over here….
@Dave
I’ve always thought that was a good idea for someone using an extension for userscripts and another for userstyles. I’m always up for reducing the number of extensions I use but getting rid of Stylus won’t work for me because I have userstyles that I have written for different websites, most are simple with 1-4 rules but I don’t want to give them up. Otherwise, for someone already using Tampermonkey being able to install styles as scripts is pretty cool.
@Anonymous
I started using Tampermonkey about a year and a half ago in Nightly and have never heard of the extension itself being unsafe. But…I would worry about what the installed userscripts are doing and where they came from. Just make sure they are coming from a reputable source and you can always look at the code in Tampermonkey and both greasyfork.org and openuserjs.org let you look at the code before installing. When going thru the code you can get an idea of what it’s doing. I’ve been using userscripts for years and have not experienced anything unsafe or malicious. The worst I’ve seen is that the script quits working. Tampermonkey does collect anonymous statistics and that can be disabled in Settings/General. Since you are already “Anonymous” I don’t know if I would worry about it. ;)
@Tom Hawack
I think Tampermonkey can work for those that don’t want to make changes to styles or at least not make many changes. For those of use that want to edit styles or create styles, I can’t imagine using something other than Stylus. That would be crazy talk! LoL
“Tampermonkey does collect anonymous statistics and that can be disabled in Settings/General.”
Not only in “Settings/General”.
Also TM Privacy Policy: “We collect personal information from you in accordance with the provisions of German data protection statutes. Information is considered personal if it can be associated exclusively to a specific natural person.”
“natural person” means they do not consider IP as personal information, for us IP as they collect (see “Server Data”) is just “Anonymous information”, what a joke.
People making styles (like Lootyhoof – PM team) to put their work should find another place than “userstyles.org” instead to force us to go to a site trying to spy on us.
The Pale Moon Stylem add on is a fork of Stylish 2.0.7 which does not include the telemetry data collection of newer Stylish versions. Using preset scripts from userstyles.org is your own risk.
But even on Stylem on the add-ons manager under styles the link to “userstyles.org†is still there :(
Ideally what will happen: Mozilla and Google will ban these guys for life.The company will go bankrupt from all the lawsuits filed against them.
Realistically what will happen: They will be reinstated after the temporary ban and their misdeeds will be forgotten by the majority.
What shall be your punishment?
“Oops, We didn’t mean it”.
One slap on the wrist coming up
There’s needs to be a diff viewer for the addon manager so users can check what exactly got added/changed in a new extension instead of trusting whats said in a change logs
Robert Heaton didn’t discover anything new. See gorhill’s comment here:
https://www.ghacks.net/2017/01/04/major-stylish-add-on-changes-in-regards-to-privacy/#comment-4086083
And even back in 2016 someone in the userstyles forum:
https://forum.userstyles.org/discussion/comment/109446/#Comment_109446
I use Stylus. Stylish was pretty cool until got stupid with the analytics. For me, its main purpose is for helping to learn CSS. I took a global userstyle that was pretty close to matching my desktop environments theme and modified it to my liking. I was then able to figure out how to get the new theme to display or not to display where I wanted.
As a learning tool, it has been great. Outside of that, it’s not particularly necessary because there are other ways to accomplish the same thing. Of course, I did not know that until I started getting into learning some Web development.
Stylus is certainly a better option than Stylish. SimilarWeb has proven to be shady at best. It is a shame they turned one of the most popular extensions/addons into spyware. It’s that kind of nonsense that keeps me from using most extensions/addons anyway.
An alternative user styles manager/editor that does not collect user data:
https://aminoeditor.com
Userstyles.org has to be one of the worst managed sites on the WEB.
The pages take a very long time to load. Often they fail with a timeout.
I have tried several times to get to the forum and I get gateway errors.
I suspect this source for themes is dying a slow death.