Firefox and Chrome have removed a browser extension from their stores following revelations it was phoning home with users' web-surfing histories.

The "Stylish" plug-in gained popularity because it let users configure sites' appearance, rather than accepting the designers' decisions.

However – stop us if you've heard this one before – the code changed hands last year and the new owners expanded its data slurping activities.

Software engineer Robert Heaton decided to take a look at what was being sent to Stylish's owners, analytics company SimilarWeb, and was horrified.

As Heaton blogged, “HTTP requests that send a large blob of obfuscated data to a URL ending in /stats are almost never good news for users.”

While the SimilarWeb privacy policy for Stylish says it only collects anonymous data, Heaton found it was attaching an identifier to the data returned to the company.

“I looked closer at the decoded payload and noted a unique tracking identifier”, he wrote, adding “it only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier. This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to.”

Mozilla's add-on assessors decided Stylish, as it now stands, is out of line and made the extension unavailable to Firefox users (although it requires manual removal for current users).

A post from Andreas Wagner was blunt about the reason: “We decided to block because of violation of data practises outlined in the review policy.”

Still popular after it's gone

As you can see above, Stylish was popular enough to be a front-page search result for “Chrome extensions”, but it's now gone from the Google extensions store.

The Register asked SimilarWeb for comment. ®

PS: There is an open-source fork of Stylish sans analytics and tracking – Stylus.