STYLISH BROWSER STEAL YOUR HISTORY .
Stylish browser extensions are used to change the look of your websites. The extension has given websites the ability to update their appearance as a bright theme or dark color, and even allow you to add some manga images. But now it has emerged that there is a deep side to this useful tool.
Robert Heston's blog states that the stylish browser extension is logging an Internet activity of 2 million users. The extension is sending the browser activity with a unique user ID on the company's server. This unique ID can be linked to a login cookie that separates different users so that the user's browser history can be mined. If a user creates an account in userstyles.org that the unique identifier can be used to add the user device to multiple browsing sessions in the cookie. The extension started collecting data from January 2017 when it was sold to a similar company called.
At that time, the privacy policy of the same web company said that they only collect information that is non-personal, but this is not the case with the browser extension. The company may not have a bad intention, but it is not good if the company does not have access controls that are strong enough to prevent theft of data collected from unsafe users.
There are some URL sessions that users visit, which may contain some password reset tokens in the URL, which can be a problem because if the user does not use tokens or there is a case where the token does not expire, data leaks For big security vulnerability when done.
When Robert passed the request using the Burp Suite, he has seen a large number of requests to api.userstyles.org and the URLs are encoded with Base 64 encoding which can be easily decoded with only one decoder Could. When Robert decode the base 64, he found another base 64 string and the query string was encoded again, he was able to find many session data and browser data that has been transferred to the company's server.
Robert Heston's blog states that the stylish browser extension is logging an Internet activity of 2 million users. The extension is sending the browser activity with a unique user ID on the company's server. This unique ID can be linked to a login cookie that separates different users so that the user's browser history can be mined. If a user creates an account in userstyles.org that the unique identifier can be used to add the user device to multiple browsing sessions in the cookie. The extension started collecting data from January 2017 when it was sold to a similar company called.
At that time, the privacy policy of the same web company said that they only collect information that is non-personal, but this is not the case with the browser extension. The company may not have a bad intention, but it is not good if the company does not have access controls that are strong enough to prevent theft of data collected from unsafe users.
There are some URL sessions that users visit, which may contain some password reset tokens in the URL, which can be a problem because if the user does not use tokens or there is a case where the token does not expire, data leaks For big security vulnerability when done.
When Robert passed the request using the Burp Suite, he has seen a large number of requests to api.userstyles.org and the URLs are encoded with Base 64 encoding which can be easily decoded with only one decoder Could. When Robert decode the base 64, he found another base 64 string and the query string was encoded again, he was able to find many session data and browser data that has been transferred to the company's server.
Newsroomedia is a blog in which you find all the Latest updates of all over the world. We cover Topics like Technology, Politics, Cricket, News and many more. This is a multi-topic blog in which we cover all the news topics.