Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Steam Extension 'Inventory Helper' Spies On Users, Says Report (windowsreport.com)

Posted by BeauHD on from the hide-and-seek dept.

SmartAboutThings shares a report from Windows Report: If you installed the "Steam Inventory Helper" on your computer, you may want to uninstall it as soon as possible. Recent reports suggest that this extension used to buy and sell digital goods on Steam is spying on its users. Redditor Wartab made a thorough analysis of the tool and reached the following conclusions: The spyware code tracks your every move starting from the moment you visit a website until you leave. It also tracks where you are coming from on the site; Steam Inventory Helper tracks your clicks, including when you are moving your mouse and when you are having focus in an input; When you click a link, it sends the link URL to a background script; Fortunately, the code does not monitor what you type. Apparently, the purpose of this spyware is to collect data about gamers for promotional purposes.

9 of 66 comments (clear)

  1. Yet another argument for source code by DrYak · · Score: 4, Interesting

    Yet another argument showing why it is better to favour software with visible source code.
    Not that the GPL contains "magic pixie dust" in it that miraculously repel this kind of abuse.

    But it just makes this kind of analysis a little bit more easy.

    Here author manager to get a hang of what the extension is doing, because it's still in javascript (theoretically humean-readable) though still heavily obscured (the analyst provides links to slightly de-obscured files).

    If this was a completely opaque closed source binary, analysis would have been much more difficult.

    On the other hand, if this was a completely free/libre opensource software, this kind of analysis would have been much easier and could happen much earlier (and you would expect de-spyware-ified forks to pop-up on github at the same time as such disclosure).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Yet another argument for source code by DrXym · · Score: 4, Insightful

      Source code doesn't help unless you have a surefire way to guarantee that the binary you're running was built exactly from that source code. And if the binary has dependencies on other libraries then the same applies to them. And the compiler toolchain. And if the binary executes html content or scripts, potentially fetched from the web then even that doesn't prevent potential abuse.

    2. Re:Yet another argument for source code by Wootery · · Score: 3, Informative

      Because as far as I can tell it's a Chrome extension, but for some reason neither the summary nor the linked articles bother to make this clear.

    3. Re:Yet another argument for source code by coastwalker · · Score: 2

      Absolutely. Knowing that gamers spend 85% of their time on Pornhub is going to help advertisers how exactly?

      --
      Facts are history now plebs have politics for religion on social media.
    4. Re:Yet another argument for source code by JohnFen · · Score: 2

      The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.

      Even if this is the only advantage, that alone puts it light-years beyond proprietary code.

  2. Why would anyone install a Chrome Extension by known_coward_69 · · Score: 2

    from a nobody? Most of these seem to be from anonymous people hiding behind web email and aliases and you are literally giving them admin access to your computer.

    I have maybe 2-3 extensions and they are from known entities

    1. Re:Why would anyone install a Chrome Extension by bravecanadian · · Score: 4, Interesting

      My favourite extensions are the ad blockers owned by advertising companies.

      I mean at this point, you literally can't trust anything to not be spying on you. Not even just your computer, but your phone, your home automation, your thermastat, your car.. the list just goes on and on.

      It's ridiculous that things have gotten to this state.

  3. Reproducible Builds. by DrYak · · Score: 2

    That's what Reproducible Builds are for. {...} At a Debian repository near you (and not only there).

    Which is the entire point of reproducible builds... :-P

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  4. Trash "Report" by Anonymous Coward · · Score: 2, Informative

    The "Report" is trash.

    > "Steam has yet to issue any comment on this matter."

    I loathe Steam with a passion, but this is THIRD PARTY EXTENSION not made or supported by Steam, why the fuck would steam comment on it?

    > "What do you think about Steam spying on its users? "

    Steam most certainly does "spy on its users", but this THIRD PARTY EXTENSION is not part of that.