Consumer Rights Wiki - User contributions [en]

Stylish (Chrome extension)

2026-05-29T14:40:35Z

82.3.220.102: Edits by James Arnott. I've removed the "This has not been independently validated" just because I've personally confirmed their obfuscation scheme by decoding the payloads and it can be easily confirmed by others using the given script.

{{ProductCargo
|ArticleType=Product
|Category=Browser extension
|Company=SimilarWeb
|Description=Browser extension that exfiltrates every URL its users visit & their AI chat content to SimilarWeb's servers
|InProduction=Yes
|ReleaseYear=2006
|Website=https://userstyles.org/
}}

'''Stylish''' is a Chrome & Firefox browser extension for applying user-written CSS skins to websites, originally written by Jason Barnabe as an open-source project & in circulation by January 2006 when Jesse Ruderman reviewed it.<ref name="ruderman">{{Cite web |title=Stylish |url=https://www.squarefree.com/2006/01/15/stylish/ |first=Jesse |last=Ruderman |date=2006-01-15 |website=squarefree.com}}</ref> It has been owned since January 2017 by the digital-market-intelligence firm [[SimilarWeb]],<ref name="bc-2017">{{Cite web |title=2 Million Users Impacted by New Data Collection Policy in Stylish Browser Add-On |url=https://www.bleepingcomputer.com/news/software/2-million-users-impacted-by-new-data-collection-policy-in-stylish-browser-add-on/ |first=Catalin |last=Cimpanu |date=2017-01-04 |website=BleepingComputer}}</ref><ref name="aibp-stylish" /> which uses the extension to record every URL its users visit. Security researcher Robert Heaton documented the full-URL exfiltration on July 2, 2018,<ref name="heaton1">{{Cite web |title="Stylish" browser extension steals all your internet history |url=https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/ |first=Robert |last=Heaton |date=2018-07-02 |website=robertheaton.com}}</ref> after which Google & Mozilla removed Stylish from both stores within two days;<ref name="heaton1" /><ref name="bc-2018">{{Cite web |title=Chrome and Firefox Pull Stylish Add-On After Report It Logged Browser History |url=https://www.bleepingcomputer.com/news/software/chrome-and-firefox-pull-stylish-add-on-after-report-it-logged-browser-history/ |first=Catalin |last=Cimpanu |date=2018-07-04 |website=BleepingComputer}}</ref> the extension was back in the Firefox add-on store by August 16, 2018 behind an opt-in startup screen.<ref name="heaton2">{{Cite web |title="Stylish" is back, and you still shouldn't use it |url=https://robertheaton.com/2018/08/16/stylish-is-back-and-you-still-shouldnt-use-it/ |first=Robert |last=Heaton |date=2018-08-16 |website=robertheaton.com}}</ref> In February 2026, security researcher James Arnott of Bay Area Labs reported that Stylish was still exfiltrating every visited URL through a five-stage obfuscation chain ending in AES-256-CBC encryption with a symmetric key hardcoded in the extension's own source code,<ref name="aibp-stylish">{{Cite web |title=Stylish is Back, Back again! |url=https://amibeingpwned.com/blog/stylish-is-back-back-again/ |first=James |last=Arnott |date=2026-02-26 |website=Am I Being Pwned?}}</ref> and in May 2026 Arnott ranked Stylish first on his ''"AI Chat Scraping Extension Wall of Shame,"'' reporting it also exfiltrates user conversations with Character.AI, ChatGPT, & Claude.<ref name="aibp-wall">{{Cite web |title=The AI Chat Scraping Extension Wall of Shame |url=https://amibeingpwned.com/blog/ai-chat-scraper-wall-of-shame |first=James |last=Arnott |date=2026-05-11 |website=Am I Being Pwned?}}</ref> As of May 2026, the Chrome Web Store lists Stylish with 2,000,000 users & displays both Google's ''"Featured"'' badge & a ''"Verified Publisher"'' badge on its listing.<ref name="cws-stylish">{{Cite web |title=Stylish - Custom themes for any website |url=https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe |publisher=Google / Similarweb LTD |date=2026-03-19 |website=Chrome Web Store}}</ref><ref name="aibp-wall" />

==Consumer-impact summary==

*Records the full URL of every page the user visits & sends it to SimilarWeb's servers, including data such as the query string of every Google search, password-reset and magic sign in links sent by email and any other URL which the user visits.<ref name="heaton1" />
*Sends the captured URLs together with a per-user identifier that can be tied to a real-world identity through the userstyles.org login cookie, which is scoped to all userstyles.org subdomains.<ref name="heaton1" />
*As of 2026, also captures user conversations with hosted AI assistants such as Character.AI, ChatGPT, & Claude.<ref name="aibp-wall" />
*Wraps the captured data in a five-stage encoding chain ending in AES-256-CBC encryption whose key is hardcoded in the extension's own JavaScript, so the encryption protects the data only from outside observers, not from SimilarWeb.<ref name="aibp-stylish" />
*Carries Google's ''"Featured"'' & ''"Verified Publisher"'' badges on the Chrome Web Store despite the documented behavior.<ref name="cws-stylish" /><ref name="aibp-wall" />
*The open-source fork [[Stylus]], maintained by the community after the 2017 SimilarWeb acquisition, is a drop-in replacement that caches styles locally & sends nothing to a server.<ref name="cws-stylus">{{Cite web |title=Stylus |url=https://chromewebstore.google.com/detail/stylus/clngdbkpkpeebahjckkjfobafhncgmne |publisher=Google / stylus.openstyles |date=2026-05-26 |website=Chrome Web Store}}</ref>

==Background==

Stylish lets users apply user-written CSS to any website, replacing fonts, colors, & layouts with community-contributed "skins." It was created by Jason Barnabe as a Firefox extension; the earliest contemporaneous record in the source set is Jesse Ruderman's January 15, 2006 review on squarefree.com, which described it as ''"a Firefox extension by Jason Barnabe"'' that ''"lets you manage CSS rules to change the appearance of web sites."''<ref name="ruderman" /> Barnabe also operated the userstyles.org community site where users uploaded & shared their styles.<ref name="ghacks">{{Cite web |title=Stylish and userstyles.org have a new owner |url=https://www.ghacks.net/2016/10/09/stylish-and-userstyles-org-have-a-new-owner/ |first=Martin |last=Brinkmann |date=2016-10-09 |website=gHacks Tech News}}</ref>

For about a decade, Stylish operated as a small open-source project with no server-side telemetry: the extension fetched styles when the user asked for them & otherwise ran entirely locally. That changed when Barnabe stepped back from the project. In late September & early October 2016, ownership of both the Stylish extension & userstyles.org was transferred from Barnabe to a new operator named Justin Hindman.<ref name="ghacks" /> Three months later, Hindman announced that he had sold or partnered the project to SimilarWeb.<ref name="bc-2017" />

==SimilarWeb acquisition==

On January 4, 2017, BleepingComputer reported that Stylish ''"announced this week through the voice of its new owner a new data collection partnership with SimilarWeb, a digital market intelligence company,"'' with Hindman explaining the deal as a resource problem.<ref name="bc-2017" /> In a statement to the publication, Hindman wrote:

<blockquote>''When I first started working on Stylish, I understood that this product is incredible, but in order to bring it to its full potential, it would require a tremendous amount of resources I just don't have.''</blockquote><ref name="bc-2017" />

The new privacy policy added a data-collection feature labeled the ''"Suggested Web Styles"'' system. SimilarWeb's stated rationale was that recording each user's visited URLs let the extension recommend matching community styles. An opt-out toggle existed in the extension's settings panel, but BleepingComputer noted ''"[t]he anonymous data collection system comes turned on by default in all new installations"''; unchecking it disabled the suggestion feature & excluded the user from the displayed install counts.<ref name="bc-2017" /> At the time, Stylish had nearly two million users across Chrome & Firefox.<ref name="bc-2017" />

==2018 disclosure & takedown==

===Heaton's findings===

On July 2, 2018, software engineer Robert Heaton published a technical write-up titled ''"'Stylish' browser extension steals all your internet history."'' Working with the Burp Suite proxy, he had noticed that his browser was sending a steady stream of obfuscated POST requests to ''api.userstyles.org/stats.'' He described the encoding as plain base64 wrapped twice:

<blockquote>''I noticed that the data blob contained only letters and numbers and ended in %3D, the URL encoding for an = sign. This made me suspect that the blob had been Base64 encoded. I tried Base64 decoding it... Still nonsense. But the decoded string also contained only letters and numbers, and also ended in an = sign. I tried Base64 decoding it a second time... Pyrrhic victory. When I looked at the contents of the decoded payload, I realized that Stylish was exfiltrating all my browsing data.''</blockquote><ref name="heaton1" />

Inside the decoded payload Heaton found a unique tracking identifier attached to each request. Because the same browser also held a userstyles.org login session, the tracking identifier could be linked to a registered account. As Heaton put it, ''"Stylish's session cookie is scoped to *.userstyles.org, so it gets sent to every userstyles.org sub-domain as well."''<ref name="heaton1" /> He noted that the cookie expired at the end of each browser session, but pointed out that ''"it only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier."''<ref name="heaton1" />

Heaton walked through the consumer-harm implications of recording full URLs rather than only domain names. Password-reset emails, one-time login tokens, & short-lived medical-record links from Amazon S3 all live inside URLs; capturing the full path & query string captures all of those secrets too.<ref name="heaton1" /> He also rejected the company's stated rationale, writing that if SimilarWeb only needed to suggest matching styles, ''"then they would only need to send themselves the current page's domain, not the full URL."''<ref name="heaton1" />

===Press coverage & store removal===

The disclosure was picked up by The Register on July 5, 2018, which independently summarized Heaton's findings & noted the gap between the privacy policy & the observed behavior: ''"While the SimilarWeb privacy policy for Stylish says it only collects anonymous data, Heaton found it was attaching an identifier to the data returned to the company."''<ref name="register">{{Cite web |title=Chrome, Firefox pull very unstylish Stylish invasive browser plugin |url=https://www.theregister.com/2018/07/05/browsers_pull_stylish_but_invasive_browser_extension/ |first=Richard |last=Chirgwin |date=2018-07-05 |website=The Register}}</ref> KitGuru ran a similar story the same day.<ref name="kitguru">{{Cite web |title=Stylish browser extension found stealing user's internet browsing history |url=https://www.kitguru.net/tech-news/featured-tech-news/ryan-burgess/stylish-browser-extension-found-stealing-users-internet-browsing-history/ |first=Ryan |last=Burgess |date=2018-07-05 |website=KitGuru}}</ref>

By July 4, 2018, both stores had pulled the extension. BleepingComputer reported that day:

<blockquote>''Google and Mozilla have removed the Stylish browser extension from their respective add-on stores after the publication of a report this week that accused the extension of logging users' browser histories and sending the data to remote servers.''</blockquote><ref name="bc-2018" />

BleepingComputer quoted Mozilla software engineer Andreas Wagner's bug-report comment: ''"We decided to block [Stylish] because of violation of data practices outlined in the review policy."''<ref name="bc-2018" /> Google did not issue a public explanation, but the Chrome Web Store listing began returning a 404 error.<ref name="bc-2018" /> Heaton's own post records the same two-day window in an update line: ''"2 days after publication of this post, Stylish was removed from the Chrome and Firefox stores. 3 weeks later, a new version is back in the Firefox store."''<ref name="heaton1" />

===Return to Firefox===

Stylish v3.1.8 was visible in the Firefox add-on store by August 16, 2018. Heaton published a follow-up the same day. The new build had not removed the tracking; it had moved the tracking behind a startup screen. Heaton wrote:

<blockquote>''It comes with a tastefully designed startup screen asking whether you would like to opt-in to having all your browsing history sent to the SimilarWeb servers. If you tick the boxes saying "no, obviously not" then it also features an aesthetically pleasing design dark pattern designed to trick you into accidentally changing your mind.''</blockquote><ref name="heaton2" />

His recommended response was unchanged from the original post: switch to the open-source fork. ''"[T]he Stylus browser extension is an exact substitute for Stylish,"'' he wrote.<ref name="heaton2" />

==2026 Am I Being Pwned investigation==

In February 2026, James Arnott, founder of Bay Area Labs ("Am I Being Pwned?"), revisited the extension. In a February 26, 2026 post titled ''"Stylish is Back, Back again!"'', Arnott reported that Stylish was still sending a POST request for every page visit, with the same payload structure as in 2018, but now wrapped in a far more elaborate obfuscation scheme.<ref name="aibp-stylish" />

Arnott listed five 2018 press articles confirming the original takedown, then noted that the current version of the extension carries both Google's ''"Verified Publisher"'' & ''"Featured"'' badges on the Chrome Web Store.<ref name="aibp-stylish" /> A sample payload he captured contains the fields ''gp'' (current URL), ''klm'' (previous URL), & ''pxe'' (per-user identifier), among others.<ref name="aibp-stylish" /> The payload Arnott published, captured from a single page visit, was:<ref name="aibp-stylish" />

<pre>
{
"gp": "https://userstylesapi.com/top/styles",
"klm": "https://www.google.com/search?q=test+google&rlz=1C5OZZY_enGB1156GB1156&oq=test&gs_lcrp=Eg...",
"ver": "https://www.google.com/search?q=test+google&rlz=1C5OZZY_enGB1156GB1156&oq=test&gs_lcrp=Eg...",
"knl": "",
"dig": "2008511158",
"tmg": "link",
"trp": "exthead",
"st": "1772053130391",
"ch": "9",
"di": "a3e3e2a81",
"pxe": "Lk85G2SeiETEPNOWlrR15mLsZDsC",
"vmt": "6",
"lav": "21",
"wv": "1",
"gr": "3.4.10",
"craz": "AAEAAAAAAG0RCwIRdAAAAAAAAAAAAAAAAAAAAAAAAAA="
}
</pre>

Arnott wrote:

<blockquote>''Where gp is your current URL, klm was your previous URL and pxe is your unique identifier, amongst other data.''</blockquote><ref name="aibp-stylish" />

On May 11, 2026, Arnott published ''"The AI Chat Scraping Extension Wall of Shame,"'' a ranked list of seven Chrome extensions he observed scraping user conversations with hosted AI assistants. Stylish was entry #1, classified as ''"Confirmed"'' with ''"Extensive"'' obfuscation, & listed at 2,000,000 users. Arnott wrote:

<blockquote>''Stylish has the most extensive obfuscation we've seen, as we covered here. They exfiltrate all URLs and AI chats from providers like Character AI, ChatGPT, Claude, etc.''</blockquote><ref name="aibp-wall" />

He noted that Stylish's Chrome Web Store listing prominently displays the line ''"We care about your privacy."''<ref name="aibp-wall" /><ref name="cws-stylish" />

===Five-stage obfuscation chain===

Plain English: the extension takes the URL of every page the user visits, scrambles it five different ways one after the other, & only then sends it to SimilarWeb's servers. The point of the scrambling is not to keep the data secret; SimilarWeb can unscramble it because the unscrambling instructions are inside the extension itself. The point is to make it hard for outside reviewers, including the Chrome Web Store's automated review process, to recognize what is leaving the browser.

According to Arnott's reverse engineering, the payload passes through these five stages in order:<ref name="aibp-stylish" />

<blockquote>''URL encoding to a query string... Double base64 encoded JSON stringified, then base64 again... Columnar transposition cipher, the base64 string is split into 48-character rows, then read column-by-column instead of row-by-row, scrambling the text... AES-256-CBC encrypted using a symmetric key hardcoded in the extension source code... Base64 encoded one final time.''</blockquote><ref name="aibp-stylish" />

Arnott characterized the construction as more elaborate than its purpose required. On the AES-256-CBC stage, he commented that a hardcoded symmetric key offers no real confidentiality against anyone who can read the extension's JavaScript, & noted that asymmetric encryption would have avoided shipping the decryption key inside the extension at all.<ref name="aibp-stylish" /> He published the following JavaScript decoder, which uses the symmetric key extracted from the extension to reverse the entire chain & recover the original URL payload:<ref name="aibp-stylish" />

<pre>
async function decodeStylish(blob) {
const key = await crypto.subtle.importKey("jwk",
{alg:"A256CBC",ext:true,
k:"MaQ2KBEEiYcOcSCfszxMBVrKsXK3hxGmxZ8Zjq50KZg",
key_ops:["decrypt"],kty:"oct"},
"AES-CBC",false,["decrypt"]);
const raw = Uint8Array.from(atob(blob), c => c.charCodeAt(0));
const dec = await crypto.subtle.decrypt({name:"AES-CBC",iv:raw.slice(0,16)}, key, raw.slice(16));
const rows = new TextDecoder().decode(dec).split("\n");
let b64 = "";
for (let col = 0; col < rows[0].length; col++)
for (const row of rows) { const ch = row[col]; if (ch && ch !== " ") b64 += ch; }
const obj = JSON.parse(atob(b64));
const once = atob(obj.e.replace(/-/g,"+").replace(/_/g,"/"));
const qs = atob(once.replace(/-/g,"+").replace(/_/g,"/"));
return Object.fromEntries(new URLSearchParams(qs));
}
</pre>

The key string <code>MaQ2KBEEiYcOcSCfszxMBVrKsXK3hxGmxZ8Zjq50KZg</code> is the AES-256-CBC symmetric key that ships inside the extension's own JavaScript bundle, which is what Arnott meant when he commented that the hardcoded key makes his job as an outside reviewer ''"so much easier."''<ref name="aibp-stylish" /> Arnott summarized his read of the chain's motive:

<blockquote>''This POST request is obfuscated, which in my opinion is to make it harder for people to see what it's doing or to get around the Chrome Web Store publishing review process, or perhaps even both.''</blockquote><ref name="aibp-stylish" />

==Privacy-policy contradiction==

Stylish's current Chrome Web Store listing carries Google's standard data-handling disclosure block. Under that block, the developer has declared that the extension's collected data is ''"Not being sold to third parties, outside of the approved use cases"'' & ''"Not being used or transferred for purposes that are unrelated to the item's core functionality."''<ref name="cws-stylish" /> The listing also states: ''"we collect anonymous browsing data as described in our privacy policy https://userstyles.org/privacy-policy."''<ref name="cws-stylish" />

Arnott reports that the linked userstyles.org privacy policy says the opposite. In his February 2026 post he wrote that the policy ''"states that they explicitly do sell personal data,"'' contradicting the larger-font Chrome Web Store declaration on the same product.<ref name="aibp-stylish" /> He further observed that the Chrome Web Store's ''"approved use cases"'' list does not include selling user data for business purposes & in fact prohibits it.<ref name="aibp-stylish" />

The Chrome Web Store's own User Data FAQ, which governs what extensions are allowed to do with user data, states that ''"Ad targeting or other monetization of this data isn't for a user-facing feature"'' & that a product collecting browsing activity for any non-user-facing purpose is not permitted.<ref name="cws-faq">{{Cite web |title=User Data FAQ |url=https://developer.chrome.com/docs/webstore/program-policies/user-data-faq |publisher=Google / Chrome for Developers |website=Chrome for Developers |access-date=2026-05-29}}</ref>

==Stylus==

[[Stylus]] is the open-source fork of Stylish maintained by the community after the SimilarWeb acquisition. It was forked from Stylish v1.5.2 with the stated goal of removing all tracking & restoring a simpler user interface.<ref name="add0n">{{Cite web |title=Stylus :: add0n.com |url=https://add0n.com/stylus.html |publisher=Stylus Team |website=add0n.com}}</ref> Both Heaton (in 2018) & Arnott (in 2026) recommended Stylus as the practical mitigation for Stylish users.<ref name="heaton2" /><ref name="aibp-stylish" />

As of May 2026, the Stylus Chrome Web Store listing shows 1,000,000 users, version 2.3.28, updated May 26, 2026, with publisher ''stylus.openstyles@gmail.com.''<ref name="cws-stylus" /> The listing describes its data practices in plain language: ''"Unlike other similar extensions, we don't find you to be all that interesting. Your questionable browsing history should remain between you and the NSA. Stylus collects nothing. Period."''<ref name="cws-stylus" /> Chrome Web Store displays the disclosure ''"[t]he developer has disclosed that it will not collect or use your data."''<ref name="cws-stylus" /> Functionally, Stylus reads userstyles.org's style libraries the same way the old version of Stylish did, caches the styles locally on the user's machine, & does not contact a server for each page visit.<ref name="aibp-stylish" />

==Chrome Web Store status==

As of May 2026, the Stylish Chrome Web Store listing (extension ID ''fjnbnpbmkenffdnngjfgmeleoegfcffe'') shows:<ref name="cws-stylish" />

*Publisher: ''Similarweb LTD,'' 33 Itzhak Rabin Rd., Givatayim 5348303, Israel; D-U-N-S 533122482; trader status declared for the European Union.
*User count: 2,000,000.
*Rating: 4.3 out of 5 from 22,200 ratings.
*Version: 3.4.14, updated March 19, 2026.
*Badges: ''"Featured"'' & a ''"Verified Publisher"'' indicator (''"The publisher has a good record with no history of violations"'').
*Declared data collected: web history.
*Declared data uses: ''"Not being sold to third parties, outside of the approved use cases"''; ''"Not being used or transferred for purposes that are unrelated to the item's core functionality."''

Google describes the Featured badge as recognizing extensions that ''"follow our technical best practices and meet a high standard of user experience and design,"'' including ''"respecting the privacy of end-users,"'' with each badge assigned after manual review by Chrome staff.<ref name="google-badge">{{Cite web |title=Find great extensions with new Chrome Web Store badges |url=https://blog.google/products-and-platforms/products/chrome/find-great-extensions-new-chrome-web-store-badges/ |first=Debbie |last=Kim |date=2022-04-20 |publisher=Google}}</ref>

==See also==

*[[SimilarWeb]]
*[[Stylus]]
*[[Browser extension AI chat exfiltration]]
*[[Chrome Web Store]]

==References==

{{reflist}}

[[Category:Browser extensions]]
[[Category:Privacy incidents]]
[[Category:SimilarWeb]]

Browser extension AI chat exfiltration

2026-05-29T14:30:11Z

82.3.220.102: Corrections from James Arnott

'''Browser extension AI chat exfiltration''' is the practice of browser extensions, primarily distributed through the [[Chrome Web Store]], reading the content of users' conversations with AI chatbots such as ChatGPT, Claude, Character.AI & DeepSeek, typically along with the user's full URL history, shipping that data to remote servers controlled by the extension's publisher or its parent data-broker company. A May 11, 2026 investigation by security researcher James Arnott of amibeingpwned.com identified seven Chrome extensions with a combined install base of more than seven million users that were either actively exfiltrating AI chat content or carried the server-controlled infrastructure to begin doing so on command; most of the seven carried Google's Featured or Verified badges at the time of disclosure.<ref name="aibp-wall">{{Cite web |url=https://amibeingpwned.com/blog/ai-chat-scraper-wall-of-shame |title=The AI Chat Scraping Extension Wall of Shame |last=Arnott |first=James |work=Am I Being Pwned |date=May 11, 2026 |access-date=May 29, 2026}}</ref> The pattern follows a December 2025 disclosure by Koi Security that the Urban VPN Proxy extension, with more than seven million users across Chrome & Edge, had been logging conversations with eight separate AI assistants since a July 9, 2025 update,<ref name="malwarebytes">{{Cite web |url=https://www.malwarebytes.com/blog/news/2025/12/chrome-extension-slurps-up-ai-chats-after-users-installed-it-for-privacy |title=Chrome extension slurps up AI chats after users installed it for privacy |work=Malwarebytes Labs |date=December 18, 2025 |access-date=May 29, 2026}}</ref> & a January 2026 OX Security disclosure of two ChatGPT-impersonating extensions with a combined 900,000 users that posted users' chats to attacker-controlled servers every 30 minutes.<ref name="hackernews">{{Cite web |url=https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html |title=Two Chrome Extensions Caught Stealing ChatGPT and DeepSeek Chats from 900,000 Users |last=Lakshmanan |first=Ravie |work=The Hacker News |date=January 6, 2026 |access-date=May 29, 2026}}</ref>

==Background==

A browser extension is a small program a user installs onto their browser to add features such as ad-blocking, changing how a site looks, or giving the user more information about a site they are using. Once installed, extensions can run scripts in every webpage the user accesses. If the extension was given the read-your-browsing-history permission or the broader permission to read & modify any web page, it can see every URL the user visits & it can read the text of any page the browser displays, including a user's typed prompts to an AI chatbot & the chatbot's replies.

Technically, the read-the-page capability is typically delivered through a content script: a piece of extension code injected into the page that can read the rendered HTML directly. Because the content script runs inside the browser after the TLS connection to ChatGPT or Claude has already been decrypted, the encryption between the user & the AI provider does not protect the chat from the extension. A separate background service worker in the extension can take what the content script reads & post it to a remote server the publisher controls.<ref name="aibp-stylish">{{Cite web |url=https://amibeingpwned.com/blog/stylish-is-back-back-again |title=Stylish is Back, Back again! |last=Arnott |first=James |work=Am I Being Pwned |date=February 26, 2026 |access-date=May 29, 2026}}</ref> Google's own Chrome Web Store Limited Use policy states that ''"Collection and use of web browsing activity is prohibited, except to the extent required for a user-facing feature described prominently in the Product's Chrome Web Store page and in the Product's user interface."''<ref name="cws-limited">{{Cite web |url=https://developer.chrome.com/docs/webstore/program-policies/limited-use |title=Limited Use |work=Chrome for Developers |access-date=May 29, 2026}}</ref> The cases below indicate that this policy is not consistently enforced.

==The May 2026 amibeingpwned.com investigation==

On May 11, 2026, James Arnott published ''The AI Chat Scraping Extension Wall of Shame'' on amibeingpwned.com, a project of Bay Area Labs Inc. Arnott's methodology combined static & dynamic analysis in the AIBP sandbox with manual packet capture; for each Confirmed entry, he watched the AI chat content leave the browser in network traffic in his own sandboxed browser & decoded the obfuscated payloads before classification.<ref name="aibp-wall" /> Arnott divided his findings into two categories: ''Confirmed'', meaning he observed chat content leaving the browser during testing, & ''Capability'', meaning the exfiltration code path & remote endpoint were present & wired up but did not fire in the observation window, which he attributed to server-side gating through remote configuration.<ref name="aibp-wall" />

Arnott explained the Capability category as follows:

<blockquote>''Remote config lets an extension fetch instructions from a server at runtime, changing behaviour after install without an update. It's also a convenient way to dodge sandbox detection, which is what we think we're looking at in the Capability entries below.''</blockquote><ref name="aibp-wall" />

The seven extensions Arnott named, with the install counts, owner attributions, status & obfuscation type he documented, are summarised below.<ref name="aibp-wall" />

{| class="wikitable"
|-
!Extension!!Users!!Owner!!Status!!Obfuscation
|-
|Stylish||2,000,000||SimilarWeb||Confirmed||Extensive (five-stage chain)
|-
|Poper Blocker||2,000,000||Big Star Labs LP||Confirmed||Character mapping
|-
|SimilarWeb||1,000,000||SimilarWeb||Confirmed||None
|-
|StayFocusd||700,000||SensorTower||Capability||LZ-String
|-
|CrxMouse||700,000||Big Star Labs LP||Capability||Base64
|-
|WhatRuns||400,000||Owned it Ltd||Confirmed||None
|-
|StayFree||200,000||SensorTower||Capability||LZ-String
|}

Arnott separately listed the Urban VPN Proxy extension, with more than eight million users, as an ''"honourable mention"'' because it had been caught & had ceased AI-chat scraping after the December 2025 Koi Security disclosure, although it continued to exfiltrate URLs with LZ-String compression at the time of his post.<ref name="aibp-wall" /> Arnott also published primary video evidence of two of the Confirmed entries on the amibeingpwned YouTube channel, demonstrating WhatRuns exfiltration<ref name="yt-whatruns">{{Cite web |url=https://www.youtube.com/watch?v=UYwUmaVohQk |title=WhatRuns caught scraping AI chats |author=amibeingpwned |work=YouTube |access-date=May 29, 2026}}</ref> & the StayFocusd infrastructure analysis.<ref name="yt-stayfocusd">{{Cite web |url=https://www.youtube.com/watch?v=IOdGJEky1SU |title=StayFocusd, is this productivity tool acting like Spyware? |author=amibeingpwned |work=YouTube |access-date=May 29, 2026}}</ref>

==How the exfiltration works==

For a non-technical reader: the Stylish extension wraps every URL the user visits in five layers of encoding before sending it to its servers, which makes it harder for a casual reviewer or an automated Chrome Web Store check to see what is being sent. The encoded request leaves the browser every time the user opens a new page, whether or not the user is doing anything with the extension at that moment.<ref name="aibp-stylish" />

Arnott reverse-engineered the Stylish payload & published the structure in a February 26, 2026 post. The JSON payload the extension builds in its background service worker contains, among other fields, ''gp'' (the current URL), ''klm'' (the previous URL) & ''pxe'' (a unique identifier for the user).<ref name="aibp-stylish" /> The sample payload Arnott captured from a single page visit reads:<ref name="aibp-stylish" />

<pre>
{
"gp": "https://userstylesapi.com/top/styles",
"klm": "https://www.google.com/search?q=test+google&rlz=1C5OZZY_enGB1156GB1156&oq=test&gs_lcrp=Eg...",
"ver": "https://www.google.com/search?q=test+google&rlz=1C5OZZY_enGB1156GB1156&oq=test&gs_lcrp=Eg...",
"knl": "",
"dig": "2008511158",
"tmg": "link",
"trp": "exthead",
"st": "1772053130391",
"ch": "9",
"di": "a3e3e2a81",
"pxe": "Lk85G2SeiETEPNOWlrR15mLsZDsC",
"vmt": "6",
"lav": "21",
"wv": "1",
"gr": "3.4.10",
"craz": "AAEAAAAAAG0RCwIRdAAAAAAAAAAAAAAAAAAAAAAAAAA="
}
</pre>

Arnott documented the obfuscation chain applied to that payload before it is posted:

<blockquote>''URL encoding to a query string ... Double base64 encoded JSON stringified, then base64 again ... Columnar transposition cipher, the base64 string is split into 48-character rows, then read column-by-column instead of row-by-row, scrambling the text ... AES-256-CBC encrypted using a symmetric key hardcoded in the extension source code ... Base64 encoded one final time.''</blockquote><ref name="aibp-stylish" />

Arnott observed that the AES-256-CBC step uses a symmetric key compiled into the extension's source code, which means anyone willing to read the extension's JavaScript can decrypt the traffic; he published a working JavaScript decoder using the recovered key.<ref name="aibp-stylish" /> His commentary on the design choice was direct:

<blockquote>''I do like the use of a hardcoded encryption key as it makes my life so much easier, although I do wonder if they've heard of this revolutionary "asymmetric encryption" where they can avoid having this hardcoded key for encryption and decryption.''</blockquote><ref name="aibp-stylish" />

Other extensions in Arnott's list applied lighter obfuscation or none at all. Poper Blocker used a character-mapping scheme; CrxMouse used base64; StayFocusd & StayFree used the LZ-String library, which Arnott characterised as compression; WhatRuns & the SimilarWeb extension applied no obfuscation to the exfiltrated requests at all.<ref name="aibp-wall" /> WhatRuns, in Arnott's words, ''"exfiltrates every URL you visit, alongside AI chats. No exceptions here, they don't even bother to obfuscate the requests."''<ref name="aibp-wall" />

The Capability extensions are gated server-side, which is why a one-shot sandbox check does not see them firing. Arnott documented the Poper Blocker case in detail: the AI-chat scraping code path & endpoint were present, but the exfiltration only began after the sandbox's user identifier had aged for roughly a day. In his words: ''"We initially did not see AI chat scraping in our sandbox, but after leaving the user ID to age for a day, the scraping kicked in, confirming the server-side timer gated on user-ID age."''<ref name="aibp-wall" /> Arnott documented StayFocusd's behaviour as the same pattern with a different trigger: the AI-chat scraping path was present behind a remote configuration flag that was off in initial testing and was not observed to be on at any point during testing, however Arnott demonstrated the capability of StayFocusd's scraping by swapping out the remote server for a locally controlled one which confirmed the AI-chat scraping capability could be remotely enabled.<ref name="aibp-wall" /> The category covers ChatGPT, Claude & Character.AI; Arnott names those three providers as the targets exfiltrated by Stylish.<ref name="aibp-wall" />

==Owning companies==

===SimilarWeb===

SimilarWeb is the publisher of both the Stylish extension & an extension named after the company itself. Arnott documented both as Confirmed AI-chat exfiltrators, with the SimilarWeb-branded extension sending AI chats & full URLs even when the user is not interacting with it.<ref name="aibp-wall" /> Stylish has carried SimilarWeb's name as publisher since the company acquired the extension in January 2017; Robert Heaton documented in July 2018 that the post-acquisition version recorded every URL Stylish's two million users visited & sent those URLs to SimilarWeb's servers with a unique identifier.<ref name="heaton">{{Cite web |url=https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/ |title='Stylish' browser extension steals all your internet history |last=Heaton |first=Robert |date=July 2, 2018 |access-date=May 29, 2026}}</ref> Arnott separately observed a contradiction between the Stylish privacy policy, which he says explicitly states the company sells personal data, & the Chrome Web Store listing's larger-font claim on the home page that it does not.<ref name="aibp-stylish" /> As of May 2026 the Stylish Chrome Web Store listing names ''"Similarweb LTD"'' as the publisher, reports two million users & shows the Featured badge.<ref name="cws-stylish">{{Cite web |url=https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe |title=Stylish - Custom themes for any website |work=Chrome Web Store |access-date=May 29, 2026}}</ref>

===Sensor Tower===

Sensor Tower is the publisher of StayFocusd & StayFree, both classified by Arnott as Capability for AI-chat exfiltration & both observed exfiltrating most URLs the user visits, with a US-centric whitelist for adult sites, US health sites & regex filters for US social security numbers & ZIP codes that does not protect users in other countries.<ref name="aibp-wall" /> StayFocusd's Chrome Web Store listing as of May 2026 names ''"Sensor Tower"'' as publisher, reports 700,000 users, shows the Featured badge & describes ''"Gen AI Analytics: Track and analyze your usage of AI chat platforms directly from the StayFocusd"'' as a feature while separately stating ''"StayFocusd does not collect personal data from the web pages you visit."''<ref name="cws-stayfocusd">{{Cite web |url=https://chromewebstore.google.com/detail/stayfocusd-website-blocker-focus-timer-shorts-blocker/laankejkbhbdhmipfmgcngdelahlfoji |title=StayFocusd - Website Blocker & Focus Timer & Shorts Blocker |work=Chrome Web Store |access-date=May 29, 2026}}</ref>

===Big Star Labs LP===

Big Star Labs LP is the publisher of Poper Blocker & CrxMouse. Arnott observed Poper Blocker exfiltrating URLs with character-mapping obfuscation & gated AI-chat scraping that activated after a 24-hour user-ID age, & observed CrxMouse exfiltrating URLs with base64 obfuscation & carrying the same remote-config infrastructure, however Arnott did not observe CrxMouse explicitly exfiltrating AI-chats during the period of testing.<ref name="aibp-wall" /> A name match exists with a 2018 AdGuard investigation by Andrey Meshkov, which documented a Delaware-registered ''"Big Star Labs"'' entity whose Chrome extensions & mobile apps were collecting browsing histories from more than 11 million users; AdGuard noted that ''"Every document that contains the company name is an image (in other words, you cannot simply Google their name), they use different accounts in extension stores, and the domain owners aren't publicized."''<ref name="adguard">{{Cite web |url=https://adguard.com/en/blog/big-star-labs-spyware.html |title=Big Star Labs Spyware Campaign |last=Meshkov |first=Andrey |work=AdGuard Blog |date=July 24, 2018 |access-date=May 29, 2026}}</ref> Whether the 2026 ''"Big Star Labs LP"'' is the same legal entity is not established in cited sources; only the name match is.

===Owned it Ltd===

Owned it Ltd is the publisher of WhatRuns, which Arnott documented as Confirmed for AI-chat exfiltration with no obfuscation applied to the outbound requests.<ref name="aibp-wall" /> The Chrome Web Store listing for WhatRuns as of May 2026 names ''"Ownedit Ltd"'' as the publisher, reports 400,000 users, shows the Featured badge & lists a developer address at 11 Brindley Place, Birmingham B1 2LP, United Kingdom.<ref name="cws-whatruns">{{Cite web |url=https://chromewebstore.google.com/detail/whatruns/cmkdbmfndkfgebldhnkbfhlneefdaaip |title=WhatRuns |work=Chrome Web Store |access-date=May 29, 2026}}</ref>

==Historical precedent==

Stylish was an open-source browser extension before SimilarWeb acquired it in January 2017. Robert Heaton's July 2, 2018 disclosure documented that the post-acquisition Stylish recorded every URL its users visited & sent that history to SimilarWeb together with a unique identifier; for users who had created a userstyles.org account, that identifier could be linked to a login cookie & through it to a real identity.<ref name="heaton" /> Heaton found the exfiltrated payloads in Burp Suite as ''"a large number of strange-looking requests going to api.userstyles.org"'' carrying base64-encoded blobs.<ref name="heaton" /> Heaton's post updated to note that ''"2 days after publication of this post, Stylish was removed from the Chrome and Firefox stores. 3 weeks later, a new version is back in the Firefox store."''<ref name="heaton" /> Arnott's February 2026 follow-up confirms that Stylish has returned to the Chrome Web Store carrying the Featured badge & is again exfiltrating the same categories of data.<ref name="aibp-stylish" /> The community-maintained open-source fork of the original Stylish codebase, named '''Stylus''', has roughly 900,000 users, does not phone home & caches styles on the user's local machine; Arnott recommends it as the direct replacement.<ref name="aibp-stylish" />

==Related contemporaneous cases==

===Urban VPN Proxy===

In December 2025, Koi Security disclosed that Urban VPN Proxy, a Chrome & Edge extension with more than seven million users, had been logging users' conversations with eight AI assistants since a July 9, 2025 version 5.5.0 update; the platforms intercepted were ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI) & Meta AI.<ref name="malwarebytes" /> Malwarebytes Labs corroborated the finding & noted that the extension sat in the Chrome Web Store with a 4.7-star rating & Google's Featured badge.<ref name="malwarebytes" /> The captured conversations were forwarded to Urban Cybersecurity's parent company, BiScience (B.I Science (2009) Ltd), which Malwarebytes characterised as a data broker collecting browsing history & device identifiers from millions of users.<ref name="malwarebytes" /> Malwarebytes reported that as of the date of its post, ''"Urban Proxy VPN and Urban Cybersecurity's other apps appeared to have been removed from the Chrome Web Store."''<ref name="malwarebytes" />

===AITOPIA-impersonating extensions===

On December 30, 2025, OX Security researcher Moshe Siman Tov Bustan disclosed two extensions impersonating the legitimate AITOPIA extension with a combined 900,000 users. The two extensions, ''Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI'' & ''AI Sidebar with Deepseek, ChatGPT, Claude and more'', were ''"found exfiltrating user conversations and all Chrome tab URLs to a remote C2 server every 30 minutes."''<ref name="ox">{{Cite web |url=https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-conversations/ |title=Malicious Chrome Extensions Steal ChatGPT Conversations |last=Siman Tov Bustan |first=Moshe |work=OX Security |date=December 30, 2025 |access-date=May 29, 2026}}</ref> One of the two, the ChatGPT-named extension with more than 600,000 users, carried Google's Featured badge at the time of the disclosure.<ref name="ox" /> Ravie Lakshmanan of The Hacker News reported on January 6, 2026 that the extensions were still available for download as of writing but that the ChatGPT-named one ''"has since been stripped of its 'Featured' badge."''<ref name="hackernews" /> The Hacker News also reported that John Tuckner of Secure Annex had coined the term ''"Prompt Poaching"'' for the broader pattern of using browser extensions to capture AI conversations covertly, & had separately identified the SimilarWeb extension & SensorTower's StayFocusd as legitimate analytics-company extensions engaged in the same conduct.<ref name="hackernews" /> By January 7, 2026, SecurityWeek reported that both AITOPIA-impersonating extensions were no longer available in the Chrome Web Store.<ref name="securityweek">{{Cite web |url=https://www.securityweek.com/chrome-extensions-with-900000-downloads-caught-stealing-ai-chats/ |title=Chrome Extensions With 900,000 Downloads Caught Stealing AI Chats |last=Arghire |first=Ionut |work=SecurityWeek |date=January 7, 2026 |access-date=May 29, 2026}}</ref>

==Chrome Web Store response & policy gap==

Google introduced the Chrome Web Store Featured badge in April 2022, telling users that the badge marks extensions that ''"follow our technical best practices and meet a high standard of user experience and design"'' & that ''"Chrome team members manually evaluate each extension before it receives the badge."''<ref name="google-badge">{{Cite web |url=https://blog.google/products-and-platforms/products/chrome/find-great-extensions-new-chrome-web-store-badges/ |title=Find great extensions with new Chrome Web Store badges |work=The Keyword (Google) |date=April 20, 2022 |access-date=May 29, 2026}}</ref> Every extension in Arnott's May 2026 list carried Featured, Verified or both at the time of his post.<ref name="aibp-wall" /> Arnott's published conclusion was that badges in practice correlate with public attention rather than with audited compliance. In the section ''The Chrome Web Store badge problem'' he wrote:

<blockquote>''In our experience, Chrome only takes away badges when there's a public outcry. Which is why investigations like this matter.''</blockquote><ref name="aibp-wall" />

In the ''What can users do?'' section, he added:

<blockquote>''Don't treat "Featured" or "Verified" as a safety signal. Every extension on this list has at least one.''</blockquote><ref name="aibp-wall" />

Arnott also documented a direct contradiction between the privacy disclosures of the Stylish extension & its Chrome Web Store listing. The Stylish privacy policy, per his reading, explicitly states the publisher sells personal data; the Chrome Web Store listing's larger-font homepage text states that the publisher does not sell personal data; & the Chrome Web Store's approved-use-cases policy itself prohibits the sale of user data.<ref name="aibp-stylish" />

==Consumer impact & mitigation==

The data leaving the browser in these cases falls into three categories: the text of the user's AI chatbot conversations (the prompts the user typed & the chatbot's replies), the full URL of every page the user visits including search queries & any tokens embedded in URLs, & a persistent unique identifier that lets the receiving company link those records across sessions.<ref name="aibp-wall" /><ref name="aibp-stylish" /> Heaton's 2018 analysis of the same data category at SimilarWeb gave the worked examples that still apply: single-use password-reset links, time-limited authentication tokens for medical records & Google search-result URLs are all captured because they live inside the URL the extension sees.<ref name="heaton" /> Arnott extends the harm analysis to AI chat content, with the worked example of a user typing search terms about something covered by a non-disclosure agreement or a corporate spearphishing target list being built from a captured record of which web-based software a target uses.<ref name="aibp-stylish" />

For non-technical users, the practical mitigations documented in the cited sources are: audit installed extensions & remove anything not actively used, since the permissions persist after install; do not treat the Chrome Web Store ''"Featured"'' or ''"Verified"'' badges as safety signals;<ref name="aibp-wall" /> & for users of Stylish specifically, switch to the open-source fork Stylus, which caches styles locally on the user's machine & does not phone home.<ref name="aibp-stylish" /> For organisations, Tuckner's summary in The Hacker News is the operational frame: ''"It is clear prompt poaching has arrived to capture your most sensitive conversations and browser extensions are the exploit vector."''<ref name="hackernews" />

==See also==

*[[Chrome Web Store]]
*[[Data broker]]
*[[Right to repair]]
*[[Sensor Tower]]
*[[SimilarWeb]]
*[[Browser extension data harvesting]]

==References==

{{reflist}}

[[Category:Topics]]
[[Category:Browser extensions]]
[[Category:Data brokers]]
[[Category:Privacy]]
[[Category:Chrome Web Store]]