Steam Inventory Helper monitors your browsing activity

A recent update for the popular Google Chrome extension Steam Inventory Helper added a monitoring component to the extension that monitors the browsing activity.

Steam Inventory Helper is a popular Chrome extension for the gaming platform Steam that improves inventory management, trading, buying, and selling. It is particularly popular with CounterStrike Global Offensive players, but works with other Steam games that come with virtual items support as well.

Reddit user Wartab was the first to report the monitoring. A post on the official CounterStrike Global Offensive forum on Reddit highlights what Steam Inventory Helper does in the background.

Basically, what Steam Inventory Helper does is execute code on any page load, even on internal pages such as about:blank.

steam inventory helper

The code that the update introduced monitors the following:

  • The referrer (the site you came from).
  • The time the site was loaded and exited.
  • When the mouse is moved.
  • Input focus.
  • Key presses (but not what is typed).

It sends any link that you click on while the extension is active to a background script. This script monitors HTTP requests that are made, and send a summary of these requests to a server.

Bottom line is: they are monitoring what sites you visit and may be sending a lot of your online activity to their own server. I couldn't figure out when they do it, yet, but it seems to be for promotional stuff. More importantly, in the future, even if what they do now is legit, you will not be informed about any changes to their permissions, because it basically already has every permission it can get in that regard.

The browser extension for Chrome requested new permissions during the update, and this is how the change was spotted.

Read also:  Chrome: sites may record audio/video without indication

Steam Inventory Helper requests to "read and change all your data on the websites you visit". It is clear that this is not needed for the very specific task of managing Steam inventory.

Good news is that users need to accept the new permission before the extension is enabled after the update. If they don't, the extension is disabled and won't monitor the browsing activity.

The highly rated extension received a fair share of one star ratings already by users who noticed that it requested new permissions that are used to monitor users.

If you are using the extension, it is recommended that you uninstall it right away as you may not want your entire browsing history to be transferred to a third-party server.

Closing Words

This is not the first time that Google's automated scripts let malware or adware slip by, and one of the reasons why I prefer Mozilla's system that vets any extension update or new extension before it is published.

Tip: Verify Chrome extensions before you download them.

Summary
Article Name
Steam Inventory Helper monitors your browsing activity
Description
A recent update for the popular Google Chrome extension Steam Inventory Helper added a monitoring component to the extension that monitors the browsing activity.
Author
Publisher
Ghacks Technology News
Logo
Advertisement
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail


Filed under:


Responses to Steam Inventory Helper monitors your browsing activity

  1. Anonymous September 19, 2017 at 9:56 am #

    Nice they even steal our behavioural fingerprint. If they register key presses but not key codes (what we type), then they are timing the way we write, which is unique or almost unique to each of us.

    Good dudes, very friendly, definitely not an hostile move.

    Also quoted from the Reddit report thread:

    "I also confirmed myself with a local proxy, UNINSTALL ASAP. The URL of every single page you visit is sent back to the people who bought SIH. Every. Single. Page. Steam related or not. Keep it on and they'll know all your fetishes and porn watching habits. And I mean it very literally. (also a big risk as some websites still put sensitive data in those URLs)"

  2. LOL September 19, 2017 at 11:13 am #

    LOL

  3. Mystique September 19, 2017 at 12:57 pm #

    I vaguely remember a steam addon (possibly the same one) that was on Mozilla which went to hell and basically decided it would be chrome only... hmm I wonder why...

    It's garbage like this that will most likely be the future for mozilla if they aren't careful.

    • Anonymous September 19, 2017 at 4:22 pm #

      Only if they ever stop manual reviews, which isn't planned as far as I know.

  4. michall September 19, 2017 at 2:46 pm #

    This will be reversed according to developer reaction:
    http://steamcommunity.com/groups/SteamInventoryHelper#announcements/detail/2694698722702419012

    Seems honest for me. Someone took liberty and made a decision that should be made more openly.

    • Anonymous September 19, 2017 at 4:25 pm #

      I don't read the same thing.

      I read that they tried, and only because SOMEONE NOTICED and ENOUGH PEOPLE TAKE ACTION do they post something like :

      " We have understood the possible risks of losing you, guys, and we are not going to force that anymore. We are taking down the current version and uploading the version without this script and permissions to the store in the following 2 or 3 hours. "

    • Mikhoul September 19, 2017 at 10:56 pm #

      They Deleted the message saying you were going to reverse .... :P

      Such a Disaster....

      • michall September 20, 2017 at 9:23 am #

        Well,

        that bad. I reverse my claims above then.

    • pittypartypooper September 19, 2017 at 11:51 pm #

      >Seems honest for me.

      Nothing honest about being greedy. =

      The letter seem insincere and their reasoning is vague and reeks of bullshit. I think a simple 'We would have sold all the browsing habits and made a profit if it wasn't for you meddling kids." would have sufficed.

      • Anonymous September 20, 2017 at 9:53 am #

        The content of the message in the person's link above has completely changed. Previously it was saying what I said just above (Anonymous). This was a paragraph written in bold, about a third of the whole post that contained nothing else particular (the name of the tech being used, how they'll never do it again etc)

        I am not sure they actually reverted the change now, the new message isn't that clear about it. They appear butthurt by comments on the Reddit thread which brought their action to light.

        " If I would say 'we are safe' again, you would laugh on it as it was earlier on reddit threads. What a sad story."

        Yeah so are you ? Did you revert the change instead of moaning about the consequences of your actions ?

  5. Xibula September 19, 2017 at 6:57 pm #

    dumb people installing dumb extensions
    nothing to see here

    • Mike September 19, 2017 at 8:22 pm #

      I wouldn't really blame the "dumb" users. It's more like the "dumb" extension developers. Don't blame the developer's stupidity on the users.

      The developers were dumb to pull off such dumb shit like this.

      If this whole fiasco was known beforehand and some people still installed the extension regardless, then the users would be dumb.

      But it doesn't seem to be like that in this case (correct me if I'm wrong) so calling the users dumb is wrong.

    • smosh2 September 19, 2017 at 11:57 pm #

      replace 'dumb people' with 'chrome users'.

  6. CHEF-KOCH September 20, 2017 at 2:18 am #

    Uninstall this extension asap, someone else already wrote about it and I can confirm this:

    "From https://reddit.com/u/wartab I have just analyzed the current code of Steam Inventory Helper. Step by step what it does:
    On every single page you visit, SIH executes code at document_start (meaning as soon as the page is opened). It even executes on your about:blank page and in all sub-frames on the currently visited site! The code executed is js/common/frame.js
    manifest.json : https://pastebin.com/QUWJ2TG3
    js/common/frame.js (slightly unobsfucated: https://pastebin.com/4BLeJr5m )
    The code in this file does: Monitor when you are entering the site, where you are coming from on this site, when you are leaving the site, when you are clicking something, when you are moving your mouse (which they even failed to do properly), when you are having focus in an input, and you are pressing a key! It is not monitoring what you type. But when you click something, and it is a link, it will send the link URL to a background script.
    This background script is located in /js/common/connectivity.js (https://pastebin.com/RsUDkDNQ).
    What this script does is very nasty. First of all, it monitors EVERY SINGLE HTTP request you make. https://gyazo.com/174961cee2cf3cb9fdb4830efb669e63 It will then send to their own server a summary of this HTTP request if some condition is met (promoteButter?).
    From this point, everything is a bit messy in their code and I will have to check a bit deeper.
    Bottom line is: they are monitoring what sites you visit and may be sending a lot of your online activity to their own server. I couldn't figure out when they do it, yet, but it seems to be for promotional stuff. More importantly, in the future, even if what they do now is legit, you will not be informed about any changes to their permissions, because it basically already has every permission it can get in that regard. Therefore I strongly suggest uninstalling and reporting this extension.
    TLDR: Uninstall ASAP."

    State from leon, as writing this, it was the last comment on this addon. I also reported the extension now and I expect that Google remove it.

  7. maxxxa September 20, 2017 at 5:05 am #

    Who used that shit ?! Who is that kids ?!

  8. silentreader September 20, 2017 at 6:19 am #

    Thank you for the warning. I've uninstalled right away.

  9. ccccccccccccccccccccccccccc September 20, 2017 at 12:06 pm #

    Google ain't going to do shit. They want to monitor people.

  10. s September 20, 2017 at 6:49 pm #

    uninstalled thank you for warning

  11. John September 21, 2017 at 5:53 pm #

    hmm, I had posted a line saying this article is linked from the steamrep site as a warning to the trading community. But I don't see that post back.

  12. sonya18.2 September 22, 2017 at 8:22 am #

    People keep talking about business end of all this. What is missing from the dialog is this is what happens when government outsources "breaking sworn oaths" you end up with private corps who will happily toss out the entire constitution and rule of law.

    After all if you get popped, the prosecution will just defend you. Any whistle blower complaints will be removed for lack of interest.

    Headed straight into constitutional crisis times.

  13. WINFAIRFAIL September 23, 2017 at 11:49 pm #

    Nah! I would prefer using winfairfail.com rather than this shitty chrome extension.

  14. Zézé October 11, 2017 at 1:00 pm #

    Is there another extensions possible ?

  15. R3tromanCZ October 21, 2017 at 12:07 pm #

    Proof?

Leave a Reply