Browser extension AI chat exfiltration: Difference between revisions

(4 intermediate revisions by 3 users not shown)

Line 21:

!Extension!!Users!!Owner!!Status!!Obfuscation

|-

|Stylish||2,000,000||SimilarWeb||Confirmed||Extensive (five-stage chain)

|[https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe Stylish]||2,000,000||SimilarWeb||Confirmed||Extensive (five-stage chain)

|-

|Poper Blocker||2,000,000||Big Star Labs LP||Confirmed||Character mapping

|[https://chromewebstore.google.com/detail/pop-up-blocker-for-chrome/bkkbcggnhapdmkeljlodobbkopceiche Poper Blocker]||2,000,000||Big Star Labs LP||Confirmed||Character mapping

|-

|SimilarWeb||1,000,000||SimilarWeb||Confirmed||None

|[https://chromewebstore.google.com/detail/similarweb-website-traffi/hoklmmgfnpapgjgcpechhaamimifchmp SimilarWeb]||1,000,000||SimilarWeb||Confirmed||None

|-

|StayFocusd||700,000||SensorTower||Capability||LZ-String

|[https://chromewebstore.google.com/detail/stayfocusd-%E2%80%93-website-bloc/laankejkbhbdhmipfmgcngdelahlfoji StayFocusd]||700,000||SensorTower||Capability||LZ-String

|-

|CrxMouse||700,000||Big Star Labs LP||Capability||Base64

|[https://chromewebstore.google.com/detail/crxmouse-mouse-gestures/jlgkpaicikihijadgifklkbpdajbkhjo CrxMouse]||700,000||Big Star Labs LP||Capability||Base64

|-

|WhatRuns||400,000||Owned it Ltd||Confirmed||None

|[https://chromewebstore.google.com/detail/whatruns/cmkdbmfndkfgebldhnkbfhlneefdaaip WhatRuns]||400,000||Owned it Ltd||Confirmed||None

|-

|StayFree||200,000||SensorTower||Capability||LZ-String

|[https://chromewebstore.google.com/detail/stayfree-website-blocker/elfaihghhjjoknimpccccmkioofjjfkf StayFree]||200,000||SensorTower||Capability||LZ-String

|}

Line 81:

===SimilarWeb===

SimilarWeb is the publisher of both the Stylish extension & an extension named after the company itself. Arnott documented both as Confirmed AI-chat exfiltrators, with the SimilarWeb-branded extension sending AI chats & full URLs even when the user is not interacting with it.<ref name="aibp-wall" /> Stylish has carried SimilarWeb's name as publisher since the company acquired the extension in January 2017; Robert Heaton documented in July 2018 that the post-acquisition version recorded every URL Stylish's two million users visited & sent those URLs to SimilarWeb's servers with a unique identifier.<ref name="heaton">{{Cite web |url=https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/ |title='Stylish' browser extension steals all your internet history |last=Heaton |first=Robert |date=July 2, 2018 |access-date=May 29, 2026}}</ref> Arnott separately observed a contradiction between the Stylish privacy policy, which he says explicitly states the company sells personal data, & the Chrome Web Store listing's larger-font claim on the home page that it does not.<ref name="aibp-stylish" /> As of May 2026 the Stylish Chrome Web Store listing names ''"Similarweb LTD"'' as the publisher, reports two million users & shows the Featured badge.<ref name="cws-stylish">{{Cite web |url=https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe |title=Stylish - Custom themes for any website |work=Chrome Web Store |access-date=May 29, 2026}}</ref>

SimilarWeb is the publisher of both the Stylish extension & an extension named after the company itself. Arnott documented both as Confirmed AI-chat exfiltrators, with the SimilarWeb-branded extension sending AI chats & full URLs even when the user is not interacting with it.<ref name="aibp-wall" /> Stylish has carried SimilarWeb's name as publisher since the company acquired the extension in January 2017; Robert Heaton documented in July 2018 that the post-acquisition version recorded every URL Stylish's two million users visited & sent those URLs to SimilarWeb's servers with a unique identifier.<ref name="heaton">{{Cite web |url=https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/ |title='Stylish' browser extension steals all your internet history |last=Heaton |first=Robert |date=July 2, 2018 |access-date=May 29, 2026}}</ref> Arnott separately observed a contradiction between the Stylish privacy policy, which he says explicitly states the company sells personal data, & the Chrome Web Store listing's larger-font claim on the home page that it does not.<ref name="aibp-stylish" /> As of May 2026 the Stylish Chrome Web Store listing names ''"Similarweb LTD"'' as the publisher, reports two million users & shows the Featured badge.<ref name="cws-stylish">{{Cite web |url=https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe |title=Stylish - Custom themes for any website |work=Chrome Web Store |access-date=May 29, 2026}}</ref> It should be noted that SimilarWeb offers on their website Data-as-a-Service, allowing businesses to "Harness billions of data points from across the digital landscape to fuel business growth with Similarweb's Data-as-a-Service." <ref>{{Cite web |title=SimilarWeb Data-as-a-Service Solutions |url=https://www.similarweb.com/corp/daas/}}</ref>

===Sensor Tower===

Line 121:

Arnott also documented a direct contradiction between the privacy disclosures of the Stylish extension & its Chrome Web Store listing. The Stylish privacy policy, per his reading, explicitly states the publisher sells personal data; the Chrome Web Store listing's larger-font homepage text states that the publisher does not sell personal data; & the Chrome Web Store's approved-use-cases policy itself prohibits the sale of user data.<ref name="aibp-stylish" />

File:Stylish_privacy_policy_categories_sold.png|Stylish (userstyles.org) privacy policy, section headed ''CATEGORIES OF PERSONAL INFORMATION THAT WE COLLECT, DISCLOSE, AND SELL'', with the categories itemised in the table below. Verify at the source:<ref name="stylish-pp">{{Cite web |url=~~https://web.archive.org/web/20260216111355/~~https://userstyles.org/privacy-policy |title=Privacy Policy |work=userstyles.org (Similarweb Ltd) |date=February 16, 2026 |access-date=May 31, 2026 |archive-url=https://web.archive.org/web/20260216111355/https://userstyles.org/privacy-policy |archive-date=~~February~~ 16~~, 2026~~}}</ref>

File:Stylish_privacy_policy_categories_sold.png|Stylish (userstyles.org) privacy policy, section headed ''CATEGORIES OF PERSONAL INFORMATION THAT WE COLLECT, DISCLOSE, AND SELL'', with the categories itemised in the table below. Verify at the source:<ref name="stylish-pp">{{Cite web |url=https://userstyles.org/privacy-policy |title=Privacy Policy |work=userstyles.org (Similarweb Ltd) |date=February 16, 2026 |access-date=May 31, 2026 |archive-url=https://web.archive.org/web/20260216111355/https://userstyles.org/privacy-policy |archive-date=2026-02-16}}</ref>

File:Stylish_chrome_web_store_data_not_sold.png|Stylish Chrome Web Store listing, larger-font block headed ''This developer declares that your data is'', first bullet ''Not being sold to third parties, outside of the approved use cases''. Verify at the source:<ref name="cws-stylish-privacy">{{Cite web |url=https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe |title=Stylish - Custom themes for any website (privacy disclosure block) |work=Chrome Web Store |access-date=May 31, 2026}}</ref>

</gallery>

@@ Line 21: / Line 21: @@
 !Extension!!Users!!Owner!!Status!!Obfuscation
 |-
-|Stylish||2,000,000||SimilarWeb||Confirmed||Extensive (five-stage chain)
+|[https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe Stylish]||2,000,000||SimilarWeb||Confirmed||Extensive (five-stage chain)
 |-
-|Poper Blocker||2,000,000||Big Star Labs LP||Confirmed||Character mapping
+|[https://chromewebstore.google.com/detail/pop-up-blocker-for-chrome/bkkbcggnhapdmkeljlodobbkopceiche Poper Blocker]||2,000,000||Big Star Labs LP||Confirmed||Character mapping
 |-
-|SimilarWeb||1,000,000||SimilarWeb||Confirmed||None
+|[https://chromewebstore.google.com/detail/similarweb-website-traffi/hoklmmgfnpapgjgcpechhaamimifchmp SimilarWeb]||1,000,000||SimilarWeb||Confirmed||None
 |-
-|StayFocusd||700,000||SensorTower||Capability||LZ-String
+|[https://chromewebstore.google.com/detail/stayfocusd-%E2%80%93-website-bloc/laankejkbhbdhmipfmgcngdelahlfoji StayFocusd]||700,000||SensorTower||Capability||LZ-String
 |-
-|CrxMouse||700,000||Big Star Labs LP||Capability||Base64
+|[https://chromewebstore.google.com/detail/crxmouse-mouse-gestures/jlgkpaicikihijadgifklkbpdajbkhjo CrxMouse]||700,000||Big Star Labs LP||Capability||Base64
 |-
-|WhatRuns||400,000||Owned it Ltd||Confirmed||None
+|[https://chromewebstore.google.com/detail/whatruns/cmkdbmfndkfgebldhnkbfhlneefdaaip WhatRuns]||400,000||Owned it Ltd||Confirmed||None
 |-
-|StayFree||200,000||SensorTower||Capability||LZ-String
+|[https://chromewebstore.google.com/detail/stayfree-website-blocker/elfaihghhjjoknimpccccmkioofjjfkf StayFree]||200,000||SensorTower||Capability||LZ-String
 |}
@@ Line 81: / Line 81: @@
 ===SimilarWeb===
-SimilarWeb is the publisher of both the Stylish extension & an extension named after the company itself. Arnott documented both as Confirmed AI-chat exfiltrators, with the SimilarWeb-branded extension sending AI chats & full URLs even when the user is not interacting with it.<ref name="aibp-wall" /> Stylish has carried SimilarWeb's name as publisher since the company acquired the extension in January 2017; Robert Heaton documented in July 2018 that the post-acquisition version recorded every URL Stylish's two million users visited & sent those URLs to SimilarWeb's servers with a unique identifier.<ref name="heaton">{{Cite web |url=https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/ |title='Stylish' browser extension steals all your internet history |last=Heaton |first=Robert |date=July 2, 2018 |access-date=May 29, 2026}}</ref> Arnott separately observed a contradiction between the Stylish privacy policy, which he says explicitly states the company sells personal data, & the Chrome Web Store listing's larger-font claim on the home page that it does not.<ref name="aibp-stylish" /> As of May 2026 the Stylish Chrome Web Store listing names ''"Similarweb LTD"'' as the publisher, reports two million users & shows the Featured badge.<ref name="cws-stylish">{{Cite web |url=https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe |title=Stylish - Custom themes for any website |work=Chrome Web Store |access-date=May 29, 2026}}</ref>
+SimilarWeb is the publisher of both the Stylish extension & an extension named after the company itself. Arnott documented both as Confirmed AI-chat exfiltrators, with the SimilarWeb-branded extension sending AI chats & full URLs even when the user is not interacting with it.<ref name="aibp-wall" /> Stylish has carried SimilarWeb's name as publisher since the company acquired the extension in January 2017; Robert Heaton documented in July 2018 that the post-acquisition version recorded every URL Stylish's two million users visited & sent those URLs to SimilarWeb's servers with a unique identifier.<ref name="heaton">{{Cite web |url=https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/ |title='Stylish' browser extension steals all your internet history |last=Heaton |first=Robert |date=July 2, 2018 |access-date=May 29, 2026}}</ref> Arnott separately observed a contradiction between the Stylish privacy policy, which he says explicitly states the company sells personal data, & the Chrome Web Store listing's larger-font claim on the home page that it does not.<ref name="aibp-stylish" /> As of May 2026 the Stylish Chrome Web Store listing names ''"Similarweb LTD"'' as the publisher, reports two million users & shows the Featured badge.<ref name="cws-stylish">{{Cite web |url=https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe |title=Stylish - Custom themes for any website |work=Chrome Web Store |access-date=May 29, 2026}}</ref> It should be noted that SimilarWeb offers on their website Data-as-a-Service, allowing businesses to "Harness billions of data points from across the digital landscape to fuel business growth with Similarweb's Data-as-a-Service." <ref>{{Cite web |title=SimilarWeb Data-as-a-Service Solutions |url=https://www.similarweb.com/corp/daas/}}</ref>
 ===Sensor Tower===
@@ Line 121: / Line 121: @@
 Arnott also documented a direct contradiction between the privacy disclosures of the Stylish extension & its Chrome Web Store listing. The Stylish privacy policy, per his reading, explicitly states the publisher sells personal data; the Chrome Web Store listing's larger-font homepage text states that the publisher does not sell personal data; & the Chrome Web Store's approved-use-cases policy itself prohibits the sale of user data.<ref name="aibp-stylish" />
 <gallery mode="packed" heights="280px" caption="Contradiction between the Stylish privacy policy and the Stylish Chrome Web Store listing.">
-File:Stylish_privacy_policy_categories_sold.png|Stylish (userstyles.org) privacy policy, section headed ''CATEGORIES OF PERSONAL INFORMATION THAT WE COLLECT, DISCLOSE, AND SELL'', with the categories itemised in the table below. Verify at the source:<ref name="stylish-pp">{{Cite web |url=https://web.archive.org/web/20260216111355/https://userstyles.org/privacy-policy |title=Privacy Policy |work=userstyles.org (Similarweb Ltd) |date=February 16, 2026 |access-date=May 31, 2026 |archive-url=https://web.archive.org/web/20260216111355/https://userstyles.org/privacy-policy |archive-date=February 16, 2026}}</ref>
+File:Stylish_privacy_policy_categories_sold.png|Stylish (userstyles.org) privacy policy, section headed ''CATEGORIES OF PERSONAL INFORMATION THAT WE COLLECT, DISCLOSE, AND SELL'', with the categories itemised in the table below. Verify at the source:<ref name="stylish-pp">{{Cite web |url=https://userstyles.org/privacy-policy |title=Privacy Policy |work=userstyles.org (Similarweb Ltd) |date=February 16, 2026 |access-date=May 31, 2026 |archive-url=https://web.archive.org/web/20260216111355/https://userstyles.org/privacy-policy |archive-date=2026-02-16}}</ref>
 File:Stylish_chrome_web_store_data_not_sold.png|Stylish Chrome Web Store listing, larger-font block headed ''This developer declares that your data is'', first bullet ''Not being sold to third parties, outside of the approved use cases''. Verify at the source:<ref name="cws-stylish-privacy">{{Cite web |url=https://chromewebstore.google.com/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe |title=Stylish - Custom themes for any website (privacy disclosure block) |work=Chrome Web Store |access-date=May 31, 2026}}</ref>
 </gallery>