Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Steam Extension 'Inventory Helper' Spies On Users, Says Report (windowsreport.com)

Posted by BeauHD on from the hide-and-seek dept.

SmartAboutThings shares a report from Windows Report: If you installed the "Steam Inventory Helper" on your computer, you may want to uninstall it as soon as possible. Recent reports suggest that this extension used to buy and sell digital goods on Steam is spying on its users. Redditor Wartab made a thorough analysis of the tool and reached the following conclusions: The spyware code tracks your every move starting from the moment you visit a website until you leave. It also tracks where you are coming from on the site; Steam Inventory Helper tracks your clicks, including when you are moving your mouse and when you are having focus in an input; When you click a link, it sends the link URL to a background script; Fortunately, the code does not monitor what you type. Apparently, the purpose of this spyware is to collect data about gamers for promotional purposes.

66 comments

  1. Yet another argument for source code by DrYak · · Score: 4, Interesting

    Yet another argument showing why it is better to favour software with visible source code.
    Not that the GPL contains "magic pixie dust" in it that miraculously repel this kind of abuse.

    But it just makes this kind of analysis a little bit more easy.

    Here author manager to get a hang of what the extension is doing, because it's still in javascript (theoretically humean-readable) though still heavily obscured (the analyst provides links to slightly de-obscured files).

    If this was a completely opaque closed source binary, analysis would have been much more difficult.

    On the other hand, if this was a completely free/libre opensource software, this kind of analysis would have been much easier and could happen much earlier (and you would expect de-spyware-ified forks to pop-up on github at the same time as such disclosure).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Yet another argument for source code by DrXym · · Score: 4, Insightful

      Source code doesn't help unless you have a surefire way to guarantee that the binary you're running was built exactly from that source code. And if the binary has dependencies on other libraries then the same applies to them. And the compiler toolchain. And if the binary executes html content or scripts, potentially fetched from the web then even that doesn't prevent potential abuse.

    2. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      Why in the HELL would an abusive entity give the source code to their malware?!

    3. Re:Yet another argument for source code by Wootery · · Score: 3, Informative

      Because as far as I can tell it's a Chrome extension, but for some reason neither the summary nor the linked articles bother to make this clear.

    4. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      Of course it helps.
      Is it a silver bullet? No. But arguing it doesn't help is completely disingenuous.

    5. Re:Yet another argument for source code by Z00L00K · · Score: 1

      Sometimes it's a thin line between benign and malicious.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    6. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      It's an argument against running software indiscriminately. The app store concept changed how people see software. With the promise of privilege separation in smartphone operating systems and "vetting" of uploaded apps in the app stores, users have become careless about the software they run on their machines. But it still matters who wrote the software. Very few people have the technical ability to inspect source code for trojan horse components. Even fewer people have the time to actually inspect source code. And hardly anyone ever does that. Reputation is an imperfect system, but it's better than having the source and not looking at it.

    7. Re:Yet another argument for source code by butzwonker · · Score: 1

      But the two tings are not mutually exclusive, I prefer good developer reputation + having the source code.

    8. Re:Yet another argument for source code by coastwalker · · Score: 2

      Absolutely. Knowing that gamers spend 85% of their time on Pornhub is going to help advertisers how exactly?

      --
      Facts are history now plebs have politics for religion on social media.
    9. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      I wouldn't say it is arguing but pointing it out that you should be mindful of the issue

    10. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      I don't think the poster is arguing, just pointing out something to be aware of.

    11. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      Buy more adspace on pornhub that is targeted to gamers?

    12. Re:Yet another argument for source code by Anonymous Coward · · Score: 1

      There's an extremely simple surefire way to guarantee that the binary you're running was built exactly from that source code: compile it yourself.

    13. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      ...or offer to sell pornhub adspace on gaming sites to attract more potential customers...

    14. Re:Yet another argument for source code by beelsebob · · Score: 1

      It doesn't help at all. The first thing anyone even WITH source code would do to analyze the kinds of network requests a blob of code made would be to run the whole environment in something like Charles' Proxy, and observe what network requests go out.

    15. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      There's an extremely simple surefire way to guarantee that the binary you're running was built exactly from that source code: compile it yourself.

      WRONG! WRONG! WRONG! WRONG! WRONG!

      "Reflections on Trusting Trust", by Ken Thompson!

      "Reflections on Trusting Trust", by Ken Thompson!

      "Reflections on Trusting Trust", by Ken Thompson!

      "Reflections on Trusting Trust", by Ken Thompson!

      "Reflections on Trusting Trust", by Ken Thompson!

    16. Re:Yet another argument for source code by ckatko · · Score: 1

      I love the grandparent. It makes me chuckle.

      1) You clearly DON'T need source code to notice when people are opening connections every time you move the mouse. Because we wouldn't know about this at all if that was the case.

      2) Having source code doesn't guarantee anyone is looking at it, or knows what to look for.

      3) Having source code doesn't mean you have source for the entire toolchain or libraries.

      4) Having source code is no proof that it matches the binary. https://www.ece.cmu.edu/~gange...

    17. Re:Yet another argument for source code by ckatko · · Score: 1

      Slashdot ate the rest of my damn comment!

      Ken Thompson's Reflections on Trust showed back in the 80's that you can have "clean" source code, and a tainted self-compiling compiler that produces tainted code from completely clean code.

      5) Source code != security. Open source means it's easier to verify the SOURCE. It's not magically easy to verify the BINARY.

      [PDF]

      https://www.ece.cmu.edu/~gange...

    18. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      That's what Reproducible Builds are for. Toolchain, libs, build options and all. At a Debian repository near you (and not only there).

    19. Re: Yet another argument for source code by that+this+is+not+und · · Score: 1

      The source code being available also makes it easier for somebody to fork it and introduce malware components. Just make changes, recompile, distribute corrupt new version as a binary. That is much more work if the full source code is not available to corrupt.

      So,it cuts both ways. Open source is in no way a panacea.

    20. Re:Yet another argument for source code by bravecanadian · · Score: 1

      Yet another argument showing why it is better to favour software with visible source code.

      No, it isn't.

      You'd think the serious vulnerabilities that have come up in recent years in open source projects would put the final nail in the coffin for the many eyes theory.

      It doesn't work because no one is actually looking and very few people have the expertise to understand what they are looking at in the first place.

      The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.

    21. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      Source code doesn't help unless [...]

      Perhaps it wasn't intended as an argument, but it is indeed one. The argument is also based on the false premise that everything in your system could be compromised, therefore we should all build a fire and sing couple of songs.

      This is obviously wrong, because while it could be true, it isn't necessarily so. And in any event you're always, unconditionally, better off with the code than without.

    22. Re: Yet another argument for source code by Anonymous Coward · · Score: 0

      Wrong.

      A compiled product is trivial to de-compile into (obscure) source code. Good understanding of this obscure code is not necessary in order to add malware to it and recompile into a corrupt binary.

      With source code available, the paranoid can install from source rather than trusting the binary.

    23. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      And diverse double compiling gives us an easy way to verify the compiler.

      Further, Ken Thompsons trick is hard to pull off if you actually try. The tainted compiler must be able to realize when it is compiling a new compiler. That is not easy at all - not if a human is trying to fool the detection logic. Something as simple as obfuscating the code by renaming all identifiers and files (and remove comments) should fool such schemes in practice. The compiled binary should be the same either way - if your compiler is not tainted.

    24. Re:Yet another argument for source code by naubol · · Score: 1

      You have a point.

      I would modify it to suggest that your point is that he's "less wrong", in the sense that if it is simply harder to get a compromised compiler into the hands of a user. A variety of obstacles occur in that process. If the user is pulling their binaries over SSL from debian, then debian would likely have to be compromised (Which feels less likely than compromising some application binary in a general sense).

      --
      Reality is a slackware box running on a 386 tucked away in god's sock drawer.
    25. Re:Yet another argument for source code by JohnFen · · Score: 2

      The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.

      Even if this is the only advantage, that alone puts it light-years beyond proprietary code.

    26. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      Is it closed-source proprietary software all the way down? How do you analyze the kinds of network requests that Charles' Proxy is making?

    27. Re:Yet another argument for source code by hairyfeet · · Score: 1

      Exactly. The problem with the whole "source code equals safer" is that the argument breaks down into a giant is ought problem because the user is assuming because the source IS available that someone with the requisite skills and years of experience in code analysis OUGHT to be vetting the code and time and time again we have seen that simply isn't the case.

      If its something like a voting machine, where you have groups willing to spend the money to hire experienced programmers to go over the code with a fine tooth comb? Then having the source is a benefit. If its some little program like this that few people have heard of and even less care about? You can have source all day long and still have shit like this because nobody is looking at that code but the guys working on the thing.

      Personally I'd love to see stats on the source code for all the various programs and utilities that make up a Linux distro to see how many other than the devs are actually accessing that code, I have a feeling for a good portion the source code is never accessed by anybody that isn't directly involved with the code. I mean show of hands...how many here have vetted the KDE networking app? The little apps that are always included like screensavers and the googly eyes app? Not to mention all the third party programs that are often included like GnuCash or Gimp.

      Just because you have the code available doesn't mean anybody with the skills to properly vet that code has ever bothered to look at it even once and with the amount of changes to so many pieces happening constantly I seriously doubt if you had a dozen highly experienced programmers that they could vet the code for even a single release of a distro before it was already replaced by 2-3 new releases.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    28. Re: Yet another argument for source code by KGIII · · Score: 1

      I believe that's why Debian is doing the repeatable builds project. You should be able to replicate the build exactly.

      --
      "So long and thanks for all the fish."
    29. Re:Yet another argument for source code by Anonymous Coward · · Score: 0

      who woke the Stallmanites up?

  2. Hah, and you thought the government was behind it! by Anonymous Coward · · Score: 0

    There's nothing people won't do for a little money in their pocket.

  3. Possibly innocent? by Presence+Eternal · · Score: 1

    Could it just be related to creating and working with a custom ui on the steam website?

    1. Re:Possibly innocent? by Anonymous Coward · · Score: 0

      You stupid?

    2. Re:Possibly innocent? by Presence+Eternal · · Score: 0

      I'm not so naive that I presume innocence on the part of developers, but there's also a lot of sensationalist articles out there. I didn't think the summary was very informative, and the first link goes to a pretty sketchy looking site. The reddit thread has better detail on how this a malicious extension and developer. Also please go drink bleach.

    3. Re:Possibly innocent? by The+MAZZTer · · Score: 1

      It is trivial to view the source code of these extensions and analyze exactly what they are doing. The analyser even attached the relevant source code. If you don't believe him you can look it up yourself.

    4. Re:Possibly innocent? by Presence+Eternal · · Score: 1

      I was asking if there was an alternate interpretation of the activity, not questioning the claimed activity.

    5. Re:Possibly innocent? by zlives · · Score: 0

      you mean... alternative-facts...

    6. Re:Possibly innocent? by Trax3001BBS · · Score: 1

      Could it just be related to creating and working with a custom ui on the steam website?

      Could be yet I treat them all the same.

      I installed steam on Win10 and it started with the system. Few programs get that honor and disabled with Autoruns, and now starts when I want it running.

  4. Why would anyone install a Chrome Extension by known_coward_69 · · Score: 2

    from a nobody? Most of these seem to be from anonymous people hiding behind web email and aliases and you are literally giving them admin access to your computer.

    I have maybe 2-3 extensions and they are from known entities

    1. Re:Why would anyone install a Chrome Extension by Ritz_Just_Ritz · · Score: 1

      It is breathtaking how the advertising cabal has literally taken control over the Internet. I think this is one of those creepy influences. I doubt the government would be any less creepy or any more transparent though.

      I don't install ANY extensions other than an ad blocker. That probably still exposes me to potentially creepy Google behavior hidden inside chrome, but I don't see much of an alternative.

    2. Re:Why would anyone install a Chrome Extension by bravecanadian · · Score: 4, Interesting

      My favourite extensions are the ad blockers owned by advertising companies.

      I mean at this point, you literally can't trust anything to not be spying on you. Not even just your computer, but your phone, your home automation, your thermastat, your car.. the list just goes on and on.

      It's ridiculous that things have gotten to this state.

    3. Re:Why would anyone install a Chrome Extension by Anonymous Coward · · Score: 0

      By this logic, we will never have any new people making mods. Everybody is a nobody at first. Your favorite extension was written by a one-time nobody. Your second favorite extension was too. As a matter of fact, every program/application you like was written by a one-time nobody.

      Now that I think of it, your opinion has flaws.

    4. Re:Why would anyone install a Chrome Extension by Anonymous Coward · · Score: 0

      TrueCrypt?
      TAILS Linux?

    5. Re:Why would anyone install a Chrome Extension by JohnFen · · Score: 1

      I have maybe 2-3 extensions and they are from known entities

      Do you keep watch to make sure that those extensions don't get sold to someone else?

    6. Re:Why would anyone install a Chrome Extension by Anonymous Coward · · Score: 0

      Or use Chrome at all, for that matter.

    7. Re:Why would anyone install a Chrome Extension by apoc.famine · · Score: 1

      You can't trust anything you're currently buying with a computer onboard and external communication abilities not to spy on you. My current car can't spy on me - it's more than a decade old and doesn't have much of anything tech-wise in it. My limited home automation is also fairly old, and has restricted network access. Now, if I bought a Tesla, or went with Nest toys, yeah, I can't trust those.
       
      I agree with how ridiculous things have gotten, and unfortunately it seems the only real solution is old tech, and forgoing the new stuff.

      --
      Velociraptor = Distiraptor / Timeraptor
  5. Re: Please Check My Website by Anonymous Coward · · Score: 0

    Burn, burn in your shameful sins, beef eater.

  6. oh the irony by Anonymous Coward · · Score: 1

    visited the first link and at the top of the article is a link to Reimage plus, a tool for "fixing common windows problems". It is also a 100% safe download (because they say so) and the link is to an unknown binary blob (.exe, thankfully i cant even run it)

    can we bring back news for nerds? linking to such a click bait website is bulshit and you (the editors) should know better! seriously, the reddit link would have been enough for this story

  7. I totally agree! by Anonymous Coward · · Score: 1

    I'm currently examining all the source code on my system that I got in 1992. I should be done in another 77 years. Until then, NO NEW SOFTWARE!

    1. Re:I totally agree! by Anonymous Coward · · Score: 0

      Don't be a smartass.

    2. Re: I totally agree! by Anonymous Coward · · Score: 0

      He's not being a 'smartass'. He's being realistic. Code review takes time. Proper code review takes even longer. With even small OSes running into the millions of lines of code, and the applications running on top of it having millions more lines of code, it would take years, if not decades, merely to look at each line of code, nevermind analyze what it's doing and whether or not it has any security or privacy implications.

    3. Re: I totally agree! by that+this+is+not+und · · Score: 1

      Also make sure you review the code in the embedded controllers of your keyboard, mouse, hard drive, optical drive, video card, printer, router, and usb hub. And that little adapter board between your optical drive and the sata cable, too, obviously. They are all seperate processors with their own toolchains. Oh, and the jtag probe you attach to some of them to monitor what they are running.. better review the code in that first.

    4. Re: I totally agree! by Anonymous Coward · · Score: 0

      Code reviews takes a lot of time. Like so many other things, we do the occational test when we see suspicious activity. Much easier than a full review.

  8. Mira joto. by Anonymous Coward · · Score: 0

    Que es tu pinche problema, maricon?

  9. does this matter any more? by Anonymous Coward · · Score: 0

    For better or worse we now live in a world where millions of people will happily install a calculator app even when they are told up front that it needs access to their network contact list, and call history. Or where they'll happily use Facebook to communicate with their friends, in spite of knowing that it's spyware.

    People now accept ANY level of unnecessary spying, for any reason. The days when that was considered unacceptable are over. The ship has sailed. So now instead of 232356774 spywares there are 232356775. OK...

  10. So what about a case like that of Firefox? by Anonymous Coward · · Score: 0

    So what about a case like that of Firefox?

    Firefox is a large, open source application created by what at least some people consider to be a "reputable" organization.

    The source code is available for review. The source code isn't obfuscated or otherwise obscured.

    Yet anybody who claims that Firefox protects their privacy probably hasn't actually looked at Firefox's privacy policy.

    Below are some excerpts from the Firefox privacy policy that is dated July 31, 2017.

    Be sure to notice the type of information being collected and possibly even transmitted to third parties (including Google, some "Leanplum" company, a "mobile analytics vendor", and "certain developers"). We see terms like:

    • - "IP address"
    • - "browser version"
    • - "operating system"
    • - "locale"
    • - "language preference"
    • - "list of add-ons you have installed"
    • - "phone number"
    • - "email address"
    • - "URLs associated with the downloaded file"
    • - "hardware configuration"
    • - "commonly visited domains"
    • - "location"
    • - "the active URL"
    • - "Google advertising ID"
    • - "personal information"
    • - "key word searches"
    • - "Wi-Fi networks"
    • - "cell phone towers"

    Here are the excerpts:

    Once per day, Firefox sends the following info to Mozilla when it checks for browser updates: your Firefox version information, language preference, operating system, and version.

    Firefox contacts Mozilla once per day to check for add-on information to check for malicious add-ons. This includes, for example: browser version, OS and version, locale, total number of requests, time of last request, time of day, IP address, and the list of add-ons you have installed.

    About once per day, Firefox connects to Mozilla and provides you with new snippets, if available. Mozilla may collect how often snippets are clicked, snippet name, browser locale, and which version of Firefox you're using.

    Firefox sends Mozilla a monthly request to look up your location at a country level using your IP address.

    Some Mozilla sponsored snippets are interactive and allow you to optionally share your phone number or email address.

    This data includes, for example: device hardware, operating system, Firefox version, add-ons (count and type), timing of browser events, rendering, session restores, length of session, interaction with search access points and use of Firefox search partner codes, how old a profile is, basic information about errors and crashes, and count of pages.

    Firefox sends to this third-party information identifying the site's certificate.

    About twice per hour, Firefox downloads Google's SafeBrowsing lists to help block access to sites and downloads that are malicious or forged (Google's privacy policy is at https://www.google.com/policies/privacy/).

    Firefox may send metadata, including URLs associated with the downloaded file, to the SafeBrowsing service.

    Usage statistics or "Telemetry" is a feature in Firefox that sends Mozilla usage, performance, and responsiveness statistics about user interface features, memory, and hardware configuration. Your IP address is also collected as a part of a standard web log.

    Firefox sends to Mozilla data relating to the tiles such as number of clicks, impressions, your IP address, locale information, and tile specific data (e.g., position and size of grid).

    In Firefox Beta, certain short-term Telemetry experiments (see above) for Tiles may collect information about comm

  11. Again, source accessible. by DrYak · · Score: 1

    He's being realistic. Code review takes time. Proper code review takes even longer. With even small OSes running into the millions of lines of code, and the applications running on top of it having millions more lines of code, it would take years, if not decades,

    And again, as I've said starting the thread :
    access to the source code helps a lot.
    In this case, because Linux kernel is GPL (and so is most of the GNU userland), it means way much more people can - if they want (and in practice, they do) - investigate to find problematic pieces of code.

    Nobody said that the millions of lines of code needs to be investigate one-by-one and that all the decades must happen serially.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  12. Reproducible Builds. by DrYak · · Score: 2

    That's what Reproducible Builds are for. {...} At a Debian repository near you (and not only there).

    Which is the entire point of reproducible builds... :-P

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  13. Trash "Report" by Anonymous Coward · · Score: 2, Informative

    The "Report" is trash.

    > "Steam has yet to issue any comment on this matter."

    I loathe Steam with a passion, but this is THIRD PARTY EXTENSION not made or supported by Steam, why the fuck would steam comment on it?

    > "What do you think about Steam spying on its users? "

    Steam most certainly does "spy on its users", but this THIRD PARTY EXTENSION is not part of that.

  14. Studyable. by DrYak · · Score: 1

    Some people will try to justify this nonsense by saying, "It's ok, they disclose what they're collecting and sharing!" or the even more idiotic, "It's ok, you can disable some of this data collection and sharing!".

    None of that matters!

    None of that matters, indeed.

    My whole point is that :
    - even if Mozilla DID NOT disclose it.
    - even if it was NOT POSSIBLE to disable.

    Because the source code of Firefox is accessible, ANALYSTS WOULD STILL be able to notice this.
    And DEVELOPERS WOULD STILL be able to make fork with possibility to disable.

    (see: TorBrowser)

    Again, like I said aboe. GPL is NOT "magic pixie dust".

    But helps lowering the bar to this kind of control.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  15. OMG! by BlackPignouf · · Score: 1

    OMG, users are being spied on by an app! Quick, delete it! Do continue to use Google, Facebook, Amazon, Apple and Verizon products, though.

    1. Re:OMG! by Anonymous Coward · · Score: 1

      Do continue to use Google, Facebook, Amazon, Apple and Verizon products, though.

      COrrent Me if i'm wrong, but Could you hAve left Someone off your lisT?

  16. Always assume by JohnFen · · Score: 1

    Always assume that any software that can talk over the internet is spying on you. It seems to be true more often than not.

  17. So like using any Google product ... by houghi · · Score: 1

    ... or anything else for that matter.

    --
    Don't fight for your country, if your country does not fight for you.
  18. The link for proof has more spying by Anonymous Coward · · Score: 0

    Windowsreport.com? No thank you.