Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Steam Extension 'Inventory Helper' Spies On Users, Says Report (windowsreport.com)

Posted by BeauHD on from the hide-and-seek dept.

SmartAboutThings shares a report from Windows Report: If you installed the "Steam Inventory Helper" on your computer, you may want to uninstall it as soon as possible. Recent reports suggest that this extension used to buy and sell digital goods on Steam is spying on its users. Redditor Wartab made a thorough analysis of the tool and reached the following conclusions: The spyware code tracks your every move starting from the moment you visit a website until you leave. It also tracks where you are coming from on the site; Steam Inventory Helper tracks your clicks, including when you are moving your mouse and when you are having focus in an input; When you click a link, it sends the link URL to a background script; Fortunately, the code does not monitor what you type. Apparently, the purpose of this spyware is to collect data about gamers for promotional purposes.

36 of 66 comments (clear)

  1. Yet another argument for source code by DrYak · · Score: 4, Interesting

    Yet another argument showing why it is better to favour software with visible source code.
    Not that the GPL contains "magic pixie dust" in it that miraculously repel this kind of abuse.

    But it just makes this kind of analysis a little bit more easy.

    Here author manager to get a hang of what the extension is doing, because it's still in javascript (theoretically humean-readable) though still heavily obscured (the analyst provides links to slightly de-obscured files).

    If this was a completely opaque closed source binary, analysis would have been much more difficult.

    On the other hand, if this was a completely free/libre opensource software, this kind of analysis would have been much easier and could happen much earlier (and you would expect de-spyware-ified forks to pop-up on github at the same time as such disclosure).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Yet another argument for source code by DrXym · · Score: 4, Insightful

      Source code doesn't help unless you have a surefire way to guarantee that the binary you're running was built exactly from that source code. And if the binary has dependencies on other libraries then the same applies to them. And the compiler toolchain. And if the binary executes html content or scripts, potentially fetched from the web then even that doesn't prevent potential abuse.

    2. Re:Yet another argument for source code by Wootery · · Score: 3, Informative

      Because as far as I can tell it's a Chrome extension, but for some reason neither the summary nor the linked articles bother to make this clear.

    3. Re:Yet another argument for source code by Z00L00K · · Score: 1

      Sometimes it's a thin line between benign and malicious.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re:Yet another argument for source code by butzwonker · · Score: 1

      But the two tings are not mutually exclusive, I prefer good developer reputation + having the source code.

    5. Re:Yet another argument for source code by coastwalker · · Score: 2

      Absolutely. Knowing that gamers spend 85% of their time on Pornhub is going to help advertisers how exactly?

      --
      Facts are history now plebs have politics for religion on social media.
    6. Re:Yet another argument for source code by Anonymous Coward · · Score: 1

      There's an extremely simple surefire way to guarantee that the binary you're running was built exactly from that source code: compile it yourself.

    7. Re:Yet another argument for source code by beelsebob · · Score: 1

      It doesn't help at all. The first thing anyone even WITH source code would do to analyze the kinds of network requests a blob of code made would be to run the whole environment in something like Charles' Proxy, and observe what network requests go out.

    8. Re:Yet another argument for source code by ckatko · · Score: 1

      I love the grandparent. It makes me chuckle.

      1) You clearly DON'T need source code to notice when people are opening connections every time you move the mouse. Because we wouldn't know about this at all if that was the case.

      2) Having source code doesn't guarantee anyone is looking at it, or knows what to look for.

      3) Having source code doesn't mean you have source for the entire toolchain or libraries.

      4) Having source code is no proof that it matches the binary. https://www.ece.cmu.edu/~gange...

    9. Re:Yet another argument for source code by ckatko · · Score: 1

      Slashdot ate the rest of my damn comment!

      Ken Thompson's Reflections on Trust showed back in the 80's that you can have "clean" source code, and a tainted self-compiling compiler that produces tainted code from completely clean code.

      5) Source code != security. Open source means it's easier to verify the SOURCE. It's not magically easy to verify the BINARY.

      [PDF]

      https://www.ece.cmu.edu/~gange...

    10. Re: Yet another argument for source code by that+this+is+not+und · · Score: 1

      The source code being available also makes it easier for somebody to fork it and introduce malware components. Just make changes, recompile, distribute corrupt new version as a binary. That is much more work if the full source code is not available to corrupt.

      So,it cuts both ways. Open source is in no way a panacea.

    11. Re:Yet another argument for source code by bravecanadian · · Score: 1

      Yet another argument showing why it is better to favour software with visible source code.

      No, it isn't.

      You'd think the serious vulnerabilities that have come up in recent years in open source projects would put the final nail in the coffin for the many eyes theory.

      It doesn't work because no one is actually looking and very few people have the expertise to understand what they are looking at in the first place.

      The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.

    12. Re:Yet another argument for source code by naubol · · Score: 1

      You have a point.

      I would modify it to suggest that your point is that he's "less wrong", in the sense that if it is simply harder to get a compromised compiler into the hands of a user. A variety of obstacles occur in that process. If the user is pulling their binaries over SSL from debian, then debian would likely have to be compromised (Which feels less likely than compromising some application binary in a general sense).

      --
      Reality is a slackware box running on a 386 tucked away in god's sock drawer.
    13. Re:Yet another argument for source code by JohnFen · · Score: 2

      The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.

      Even if this is the only advantage, that alone puts it light-years beyond proprietary code.

    14. Re:Yet another argument for source code by hairyfeet · · Score: 1

      Exactly. The problem with the whole "source code equals safer" is that the argument breaks down into a giant is ought problem because the user is assuming because the source IS available that someone with the requisite skills and years of experience in code analysis OUGHT to be vetting the code and time and time again we have seen that simply isn't the case.

      If its something like a voting machine, where you have groups willing to spend the money to hire experienced programmers to go over the code with a fine tooth comb? Then having the source is a benefit. If its some little program like this that few people have heard of and even less care about? You can have source all day long and still have shit like this because nobody is looking at that code but the guys working on the thing.

      Personally I'd love to see stats on the source code for all the various programs and utilities that make up a Linux distro to see how many other than the devs are actually accessing that code, I have a feeling for a good portion the source code is never accessed by anybody that isn't directly involved with the code. I mean show of hands...how many here have vetted the KDE networking app? The little apps that are always included like screensavers and the googly eyes app? Not to mention all the third party programs that are often included like GnuCash or Gimp.

      Just because you have the code available doesn't mean anybody with the skills to properly vet that code has ever bothered to look at it even once and with the amount of changes to so many pieces happening constantly I seriously doubt if you had a dozen highly experienced programmers that they could vet the code for even a single release of a distro before it was already replaced by 2-3 new releases.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    15. Re: Yet another argument for source code by KGIII · · Score: 1

      I believe that's why Debian is doing the repeatable builds project. You should be able to replicate the build exactly.

      --
      "So long and thanks for all the fish."
  2. Possibly innocent? by Presence+Eternal · · Score: 1

    Could it just be related to creating and working with a custom ui on the steam website?

    1. Re:Possibly innocent? by The+MAZZTer · · Score: 1

      It is trivial to view the source code of these extensions and analyze exactly what they are doing. The analyser even attached the relevant source code. If you don't believe him you can look it up yourself.

    2. Re:Possibly innocent? by Presence+Eternal · · Score: 1

      I was asking if there was an alternate interpretation of the activity, not questioning the claimed activity.

    3. Re:Possibly innocent? by Trax3001BBS · · Score: 1

      Could it just be related to creating and working with a custom ui on the steam website?

      Could be yet I treat them all the same.

      I installed steam on Win10 and it started with the system. Few programs get that honor and disabled with Autoruns, and now starts when I want it running.

  3. Why would anyone install a Chrome Extension by known_coward_69 · · Score: 2

    from a nobody? Most of these seem to be from anonymous people hiding behind web email and aliases and you are literally giving them admin access to your computer.

    I have maybe 2-3 extensions and they are from known entities

    1. Re:Why would anyone install a Chrome Extension by Ritz_Just_Ritz · · Score: 1

      It is breathtaking how the advertising cabal has literally taken control over the Internet. I think this is one of those creepy influences. I doubt the government would be any less creepy or any more transparent though.

      I don't install ANY extensions other than an ad blocker. That probably still exposes me to potentially creepy Google behavior hidden inside chrome, but I don't see much of an alternative.

    2. Re:Why would anyone install a Chrome Extension by bravecanadian · · Score: 4, Interesting

      My favourite extensions are the ad blockers owned by advertising companies.

      I mean at this point, you literally can't trust anything to not be spying on you. Not even just your computer, but your phone, your home automation, your thermastat, your car.. the list just goes on and on.

      It's ridiculous that things have gotten to this state.

    3. Re:Why would anyone install a Chrome Extension by JohnFen · · Score: 1

      I have maybe 2-3 extensions and they are from known entities

      Do you keep watch to make sure that those extensions don't get sold to someone else?

    4. Re:Why would anyone install a Chrome Extension by apoc.famine · · Score: 1

      You can't trust anything you're currently buying with a computer onboard and external communication abilities not to spy on you. My current car can't spy on me - it's more than a decade old and doesn't have much of anything tech-wise in it. My limited home automation is also fairly old, and has restricted network access. Now, if I bought a Tesla, or went with Nest toys, yeah, I can't trust those.
       
      I agree with how ridiculous things have gotten, and unfortunately it seems the only real solution is old tech, and forgoing the new stuff.

      --
      Velociraptor = Distiraptor / Timeraptor
  4. oh the irony by Anonymous Coward · · Score: 1

    visited the first link and at the top of the article is a link to Reimage plus, a tool for "fixing common windows problems". It is also a 100% safe download (because they say so) and the link is to an unknown binary blob (.exe, thankfully i cant even run it)

    can we bring back news for nerds? linking to such a click bait website is bulshit and you (the editors) should know better! seriously, the reddit link would have been enough for this story

  5. I totally agree! by Anonymous Coward · · Score: 1

    I'm currently examining all the source code on my system that I got in 1992. I should be done in another 77 years. Until then, NO NEW SOFTWARE!

    1. Re: I totally agree! by that+this+is+not+und · · Score: 1

      Also make sure you review the code in the embedded controllers of your keyboard, mouse, hard drive, optical drive, video card, printer, router, and usb hub. And that little adapter board between your optical drive and the sata cable, too, obviously. They are all seperate processors with their own toolchains. Oh, and the jtag probe you attach to some of them to monitor what they are running.. better review the code in that first.

  6. Again, source accessible. by DrYak · · Score: 1

    He's being realistic. Code review takes time. Proper code review takes even longer. With even small OSes running into the millions of lines of code, and the applications running on top of it having millions more lines of code, it would take years, if not decades,

    And again, as I've said starting the thread :
    access to the source code helps a lot.
    In this case, because Linux kernel is GPL (and so is most of the GNU userland), it means way much more people can - if they want (and in practice, they do) - investigate to find problematic pieces of code.

    Nobody said that the millions of lines of code needs to be investigate one-by-one and that all the decades must happen serially.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  7. Reproducible Builds. by DrYak · · Score: 2

    That's what Reproducible Builds are for. {...} At a Debian repository near you (and not only there).

    Which is the entire point of reproducible builds... :-P

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  8. Trash "Report" by Anonymous Coward · · Score: 2, Informative

    The "Report" is trash.

    > "Steam has yet to issue any comment on this matter."

    I loathe Steam with a passion, but this is THIRD PARTY EXTENSION not made or supported by Steam, why the fuck would steam comment on it?

    > "What do you think about Steam spying on its users? "

    Steam most certainly does "spy on its users", but this THIRD PARTY EXTENSION is not part of that.

  9. Studyable. by DrYak · · Score: 1

    Some people will try to justify this nonsense by saying, "It's ok, they disclose what they're collecting and sharing!" or the even more idiotic, "It's ok, you can disable some of this data collection and sharing!".

    None of that matters!

    None of that matters, indeed.

    My whole point is that :
    - even if Mozilla DID NOT disclose it.
    - even if it was NOT POSSIBLE to disable.

    Because the source code of Firefox is accessible, ANALYSTS WOULD STILL be able to notice this.
    And DEVELOPERS WOULD STILL be able to make fork with possibility to disable.

    (see: TorBrowser)

    Again, like I said aboe. GPL is NOT "magic pixie dust".

    But helps lowering the bar to this kind of control.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  10. OMG! by BlackPignouf · · Score: 1

    OMG, users are being spied on by an app! Quick, delete it! Do continue to use Google, Facebook, Amazon, Apple and Verizon products, though.

    1. Re:OMG! by Anonymous Coward · · Score: 1

      Do continue to use Google, Facebook, Amazon, Apple and Verizon products, though.

      COrrent Me if i'm wrong, but Could you hAve left Someone off your lisT?

  11. Always assume by JohnFen · · Score: 1

    Always assume that any software that can talk over the internet is spying on you. It seems to be true more often than not.

  12. So like using any Google product ... by houghi · · Score: 1

    ... or anything else for that matter.

    --
    Don't fight for your country, if your country does not fight for you.