Steam Inventory Helper monitors your browsing activity
A recent update for the popular Google Chrome extension Steam Inventory Helper added a monitoring component to the extension that monitors the browsing activity.
Steam Inventory Helper is a popular Chrome extension for the gaming platform Steam that improves inventory management, trading, buying, and selling. It is particularly popular with CounterStrike Global Offensive players, but works with other Steam games that come with virtual items support as well.
Reddit user Wartab was the first to report the monitoring. A post on the official CounterStrike Global Offensive forum on Reddit highlights what Steam Inventory Helper does in the background.
Basically, what Steam Inventory Helper does is execute code on any page load, even on internal pages such as about:blank.
The code that the update introduced monitors the following:
- The referrer (the site you came from).
- The time the site was loaded and exited.
- When the mouse is moved.
- Input focus.
- Key presses (but not what is typed).
It sends any link that you click on while the extension is active to a background script. This script monitors HTTP requests that are made, and send a summary of these requests to a server.
Bottom line is: they are monitoring what sites you visit and may be sending a lot of your online activity to their own server. I couldn't figure out when they do it, yet, but it seems to be for promotional stuff. More importantly, in the future, even if what they do now is legit, you will not be informed about any changes to their permissions, because it basically already has every permission it can get in that regard.
The browser extension for Chrome requested new permissions during the update, and this is how the change was spotted.
Steam Inventory Helper requests to "read and change all your data on the websites you visit". It is clear that this is not needed for the very specific task of managing Steam inventory.
Good news is that users need to accept the new permission before the extension is enabled after the update. If they don't, the extension is disabled and won't monitor the browsing activity.
The highly rated extension received a fair share of one star ratings already by users who noticed that it requested new permissions that are used to monitor users.
If you are using the extension, it is recommended that you uninstall it right away as you may not want your entire browsing history to be transferred to a third-party server.
Closing Words
This is not the first time that Google's automated scripts let malware or adware slip by, and one of the reasons why I prefer Mozilla's system that vets any extension update or new extension before it is published.
Tip: Verify Chrome extensions before you download them.
Proof?
Is there another extensions possible ?
Nah! I would prefer using winfairfail.com rather than this shitty chrome extension.
People keep talking about business end of all this. What is missing from the dialog is this is what happens when government outsources “breaking sworn oaths” you end up with private corps who will happily toss out the entire constitution and rule of law.
After all if you get popped, the prosecution will just defend you. Any whistle blower complaints will be removed for lack of interest.
Headed straight into constitutional crisis times.
hmm, I had posted a line saying this article is linked from the steamrep site as a warning to the trading community. But I don’t see that post back.
uninstalled thank you for warning
Google ain’t going to do shit. They want to monitor people.
Thank you for the warning. I’ve uninstalled right away.
Who used that shit ?! Who is that kids ?!
Uninstall this extension asap, someone else already wrote about it and I can confirm this:
“From https://reddit.com/u/wartab I have just analyzed the current code of Steam Inventory Helper. Step by step what it does:
On every single page you visit, SIH executes code at document_start (meaning as soon as the page is opened). It even executes on your about:blank page and in all sub-frames on the currently visited site! The code executed is js/common/frame.js
manifest.json : https://pastebin.com/QUWJ2TG3
js/common/frame.js (slightly unobsfucated: https://pastebin.com/4BLeJr5m )
The code in this file does: Monitor when you are entering the site, where you are coming from on this site, when you are leaving the site, when you are clicking something, when you are moving your mouse (which they even failed to do properly), when you are having focus in an input, and you are pressing a key! It is not monitoring what you type. But when you click something, and it is a link, it will send the link URL to a background script.
This background script is located in /js/common/connectivity.js (https://pastebin.com/RsUDkDNQ).
What this script does is very nasty. First of all, it monitors EVERY SINGLE HTTP request you make. https://gyazo.com/174961cee2cf3cb9fdb4830efb669e63 It will then send to their own server a summary of this HTTP request if some condition is met (promoteButter?).
From this point, everything is a bit messy in their code and I will have to check a bit deeper.
Bottom line is: they are monitoring what sites you visit and may be sending a lot of your online activity to their own server. I couldn’t figure out when they do it, yet, but it seems to be for promotional stuff. More importantly, in the future, even if what they do now is legit, you will not be informed about any changes to their permissions, because it basically already has every permission it can get in that regard. Therefore I strongly suggest uninstalling and reporting this extension.
TLDR: Uninstall ASAP.”
State from leon, as writing this, it was the last comment on this addon. I also reported the extension now and I expect that Google remove it.
dumb people installing dumb extensions
nothing to see here
replace ‘dumb people’ with ‘chrome users’.
I wouldn’t really blame the “dumb” users. It’s more like the “dumb” extension developers. Don’t blame the developer’s stupidity on the users.
The developers were dumb to pull off such dumb shit like this.
If this whole fiasco was known beforehand and some people still installed the extension regardless, then the users would be dumb.
But it doesn’t seem to be like that in this case (correct me if I’m wrong) so calling the users dumb is wrong.
This will be reversed according to developer reaction:
http://steamcommunity.com/groups/SteamInventoryHelper#announcements/detail/2694698722702419012
Seems honest for me. Someone took liberty and made a decision that should be made more openly.
>Seems honest for me.
Nothing honest about being greedy. =
The letter seem insincere and their reasoning is vague and reeks of bullshit. I think a simple ‘We would have sold all the browsing habits and made a profit if it wasn’t for you meddling kids.” would have sufficed.
The content of the message in the person’s link above has completely changed. Previously it was saying what I said just above (Anonymous). This was a paragraph written in bold, about a third of the whole post that contained nothing else particular (the name of the tech being used, how they’ll never do it again etc)
I am not sure they actually reverted the change now, the new message isn’t that clear about it. They appear butthurt by comments on the Reddit thread which brought their action to light.
” If I would say ‘we are safe’ again, you would laugh on it as it was earlier on reddit threads. What a sad story.”
Yeah so are you ? Did you revert the change instead of moaning about the consequences of your actions ?
They Deleted the message saying you were going to reverse …. :P
Such a Disaster….
Well,
that bad. I reverse my claims above then.
I don’t read the same thing.
I read that they tried, and only because SOMEONE NOTICED and ENOUGH PEOPLE TAKE ACTION do they post something like :
” We have understood the possible risks of losing you, guys, and we are not going to force that anymore. We are taking down the current version and uploading the version without this script and permissions to the store in the following 2 or 3 hours. “
I vaguely remember a steam addon (possibly the same one) that was on Mozilla which went to hell and basically decided it would be chrome only… hmm I wonder why…
It’s garbage like this that will most likely be the future for mozilla if they aren’t careful.
Only if they ever stop manual reviews, which isn’t planned as far as I know.
LOL
Nice they even steal our behavioural fingerprint. If they register key presses but not key codes (what we type), then they are timing the way we write, which is unique or almost unique to each of us.
Good dudes, very friendly, definitely not an hostile move.
Also quoted from the Reddit report thread:
“I also confirmed myself with a local proxy, UNINSTALL ASAP. The URL of every single page you visit is sent back to the people who bought SIH. Every. Single. Page. Steam related or not. Keep it on and they’ll know all your fetishes and porn watching habits. And I mean it very literally. (also a big risk as some websites still put sensitive data in those URLs)”