A recent update for the popular Google Chrome extension Steam Inventory Helper added a monitoring component to the extension that monitors the browsing activity.
Steam Inventory Helper is a popular Chrome extension for the gaming platform Steam that improves inventory management, trading, buying, and selling. It is particularly popular with CounterStrike Global Offensive players, but works with other Steam games that come with virtual items support as well.
Reddit user Wartab was the first to report the monitoring. A post on the official CounterStrike Global Offensive forum on Reddit highlights what Steam Inventory Helper does in the background.
Basically, what Steam Inventory Helper does is execute code on any page load, even on internal pages such as about:blank.
The code that the update introduced monitors the following:
It sends any link that you click on while the extension is active to a background script. This script monitors HTTP requests that are made, and send a summary of these requests to a server.
Bottom line is: they are monitoring what sites you visit and may be sending a lot of your online activity to their own server. I couldn't figure out when they do it, yet, but it seems to be for promotional stuff. More importantly, in the future, even if what they do now is legit, you will not be informed about any changes to their permissions, because it basically already has every permission it can get in that regard.
The browser extension for Chrome requested new permissions during the update, and this is how the change was spotted.
Steam Inventory Helper requests to "read and change all your data on the websites you visit". It is clear that this is not needed for the very specific task of managing Steam inventory.
Good news is that users need to accept the new permission before the extension is enabled after the update. If they don't, the extension is disabled and won't monitor the browsing activity.
The highly rated extension received a fair share of one star ratings already by users who noticed that it requested new permissions that are used to monitor users.
If you are using the extension, it is recommended that you uninstall it right away as you may not want your entire browsing history to be transferred to a third-party server.
This is not the first time that Google's automated scripts let malware or adware slip by, and one of the reasons why I prefer Mozilla's system that vets any extension update or new extension before it is published.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.