Steam Inventory Helper monitors your browsing activity

Martin Brinkmann
Sep 19, 2017
Google Chrome, Google Chrome extensions
|
23

A recent update for the popular Google Chrome extension Steam Inventory Helper added a monitoring component to the extension that monitors the browsing activity.

Steam Inventory Helper is a popular Chrome extension for the gaming platform Steam that improves inventory management, trading, buying, and selling. It is particularly popular with CounterStrike Global Offensive players, but works with other Steam games that come with virtual items support as well.

Reddit user Wartab was the first to report the monitoring. A post on the official CounterStrike Global Offensive forum on Reddit highlights what Steam Inventory Helper does in the background.

Basically, what Steam Inventory Helper does is execute code on any page load, even on internal pages such as about:blank.

steam inventory helper

The code that the update introduced monitors the following:

  • The referrer (the site you came from).
  • The time the site was loaded and exited.
  • When the mouse is moved.
  • Input focus.
  • Key presses (but not what is typed).

It sends any link that you click on while the extension is active to a background script. This script monitors HTTP requests that are made, and send a summary of these requests to a server.

Bottom line is: they are monitoring what sites you visit and may be sending a lot of your online activity to their own server. I couldn't figure out when they do it, yet, but it seems to be for promotional stuff. More importantly, in the future, even if what they do now is legit, you will not be informed about any changes to their permissions, because it basically already has every permission it can get in that regard.

The browser extension for Chrome requested new permissions during the update, and this is how the change was spotted.

Steam Inventory Helper requests to "read and change all your data on the websites you visit". It is clear that this is not needed for the very specific task of managing Steam inventory.

Good news is that users need to accept the new permission before the extension is enabled after the update. If they don't, the extension is disabled and won't monitor the browsing activity.

The highly rated extension received a fair share of one star ratings already by users who noticed that it requested new permissions that are used to monitor users.

If you are using the extension, it is recommended that you uninstall it right away as you may not want your entire browsing history to be transferred to a third-party server.

Closing Words

This is not the first time that Google's automated scripts let malware or adware slip by, and one of the reasons why I prefer Mozilla's system that vets any extension update or new extension before it is published.

Tip: Verify Chrome extensions before you download them.

Summary
Steam Inventory Helper monitors your browsing activity
Article Name
Steam Inventory Helper monitors your browsing activity
Description
A recent update for the popular Google Chrome extension Steam Inventory Helper added a monitoring component to the extension that monitors the browsing activity.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. R3tromanCZ said on October 21, 2017 at 12:07 pm
    Reply

    Proof?

  2. Zézé said on October 11, 2017 at 1:00 pm
    Reply

    Is there another extensions possible ?

  3. WINFAIRFAIL said on September 23, 2017 at 11:49 pm
    Reply

    Nah! I would prefer using winfairfail.com rather than this shitty chrome extension.

  4. sonya18.2 said on September 22, 2017 at 8:22 am
    Reply

    People keep talking about business end of all this. What is missing from the dialog is this is what happens when government outsources “breaking sworn oaths” you end up with private corps who will happily toss out the entire constitution and rule of law.

    After all if you get popped, the prosecution will just defend you. Any whistle blower complaints will be removed for lack of interest.

    Headed straight into constitutional crisis times.

  5. John said on September 21, 2017 at 5:53 pm
    Reply

    hmm, I had posted a line saying this article is linked from the steamrep site as a warning to the trading community. But I don’t see that post back.

  6. s said on September 20, 2017 at 6:49 pm
    Reply

    uninstalled thank you for warning

  7. ccccccccccccccccccccccccccc said on September 20, 2017 at 12:06 pm
    Reply

    Google ain’t going to do shit. They want to monitor people.

  8. silentreader said on September 20, 2017 at 6:19 am
    Reply

    Thank you for the warning. I’ve uninstalled right away.

  9. maxxxa said on September 20, 2017 at 5:05 am
    Reply

    Who used that shit ?! Who is that kids ?!

  10. CHEF-KOCH said on September 20, 2017 at 2:18 am
    Reply

    Uninstall this extension asap, someone else already wrote about it and I can confirm this:

    “From https://reddit.com/u/wartab I have just analyzed the current code of Steam Inventory Helper. Step by step what it does:
    On every single page you visit, SIH executes code at document_start (meaning as soon as the page is opened). It even executes on your about:blank page and in all sub-frames on the currently visited site! The code executed is js/common/frame.js
    manifest.json : https://pastebin.com/QUWJ2TG3
    js/common/frame.js (slightly unobsfucated: https://pastebin.com/4BLeJr5m )
    The code in this file does: Monitor when you are entering the site, where you are coming from on this site, when you are leaving the site, when you are clicking something, when you are moving your mouse (which they even failed to do properly), when you are having focus in an input, and you are pressing a key! It is not monitoring what you type. But when you click something, and it is a link, it will send the link URL to a background script.
    This background script is located in /js/common/connectivity.js (https://pastebin.com/RsUDkDNQ).
    What this script does is very nasty. First of all, it monitors EVERY SINGLE HTTP request you make. https://gyazo.com/174961cee2cf3cb9fdb4830efb669e63 It will then send to their own server a summary of this HTTP request if some condition is met (promoteButter?).
    From this point, everything is a bit messy in their code and I will have to check a bit deeper.
    Bottom line is: they are monitoring what sites you visit and may be sending a lot of your online activity to their own server. I couldn’t figure out when they do it, yet, but it seems to be for promotional stuff. More importantly, in the future, even if what they do now is legit, you will not be informed about any changes to their permissions, because it basically already has every permission it can get in that regard. Therefore I strongly suggest uninstalling and reporting this extension.
    TLDR: Uninstall ASAP.”

    State from leon, as writing this, it was the last comment on this addon. I also reported the extension now and I expect that Google remove it.

  11. Xibula said on September 19, 2017 at 6:57 pm
    Reply

    dumb people installing dumb extensions
    nothing to see here

    1. smosh2 said on September 19, 2017 at 11:57 pm
      Reply

      replace ‘dumb people’ with ‘chrome users’.

    2. Mike said on September 19, 2017 at 8:22 pm
      Reply

      I wouldn’t really blame the “dumb” users. It’s more like the “dumb” extension developers. Don’t blame the developer’s stupidity on the users.

      The developers were dumb to pull off such dumb shit like this.

      If this whole fiasco was known beforehand and some people still installed the extension regardless, then the users would be dumb.

      But it doesn’t seem to be like that in this case (correct me if I’m wrong) so calling the users dumb is wrong.

  12. michall said on September 19, 2017 at 2:46 pm
    Reply

    This will be reversed according to developer reaction:
    http://steamcommunity.com/groups/SteamInventoryHelper#announcements/detail/2694698722702419012

    Seems honest for me. Someone took liberty and made a decision that should be made more openly.

    1. pittypartypooper said on September 19, 2017 at 11:51 pm
      Reply

      >Seems honest for me.

      Nothing honest about being greedy. =

      The letter seem insincere and their reasoning is vague and reeks of bullshit. I think a simple ‘We would have sold all the browsing habits and made a profit if it wasn’t for you meddling kids.” would have sufficed.

      1. Anonymous said on September 20, 2017 at 9:53 am
        Reply

        The content of the message in the person’s link above has completely changed. Previously it was saying what I said just above (Anonymous). This was a paragraph written in bold, about a third of the whole post that contained nothing else particular (the name of the tech being used, how they’ll never do it again etc)

        I am not sure they actually reverted the change now, the new message isn’t that clear about it. They appear butthurt by comments on the Reddit thread which brought their action to light.

        ” If I would say ‘we are safe’ again, you would laugh on it as it was earlier on reddit threads. What a sad story.”

        Yeah so are you ? Did you revert the change instead of moaning about the consequences of your actions ?

    2. Mikhoul said on September 19, 2017 at 10:56 pm
      Reply

      They Deleted the message saying you were going to reverse …. :P

      Such a Disaster….

      1. michall said on September 20, 2017 at 9:23 am
        Reply

        Well,

        that bad. I reverse my claims above then.

    3. Anonymous said on September 19, 2017 at 4:25 pm
      Reply

      I don’t read the same thing.

      I read that they tried, and only because SOMEONE NOTICED and ENOUGH PEOPLE TAKE ACTION do they post something like :

      ” We have understood the possible risks of losing you, guys, and we are not going to force that anymore. We are taking down the current version and uploading the version without this script and permissions to the store in the following 2 or 3 hours. “

  13. Mystique said on September 19, 2017 at 12:57 pm
    Reply

    I vaguely remember a steam addon (possibly the same one) that was on Mozilla which went to hell and basically decided it would be chrome only… hmm I wonder why…

    It’s garbage like this that will most likely be the future for mozilla if they aren’t careful.

    1. Anonymous said on September 19, 2017 at 4:22 pm
      Reply

      Only if they ever stop manual reviews, which isn’t planned as far as I know.

  14. LOL said on September 19, 2017 at 11:13 am
    Reply

    LOL

  15. Anonymous said on September 19, 2017 at 9:56 am
    Reply

    Nice they even steal our behavioural fingerprint. If they register key presses but not key codes (what we type), then they are timing the way we write, which is unique or almost unique to each of us.

    Good dudes, very friendly, definitely not an hostile move.

    Also quoted from the Reddit report thread:

    “I also confirmed myself with a local proxy, UNINSTALL ASAP. The URL of every single page you visit is sent back to the people who bought SIH. Every. Single. Page. Steam related or not. Keep it on and they’ll know all your fetishes and porn watching habits. And I mean it very literally. (also a big risk as some websites still put sensitive data in those URLs)”

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.