Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Privacy The Internet Entertainment Games Technology

Popular Steam Extension 'Inventory Helper' Spies On Users, Says Report (windowsreport.com) 66

SmartAboutThings shares a report from Windows Report: If you installed the "Steam Inventory Helper" on your computer, you may want to uninstall it as soon as possible. Recent reports suggest that this extension used to buy and sell digital goods on Steam is spying on its users. Redditor Wartab made a thorough analysis of the tool and reached the following conclusions: The spyware code tracks your every move starting from the moment you visit a website until you leave. It also tracks where you are coming from on the site; Steam Inventory Helper tracks your clicks, including when you are moving your mouse and when you are having focus in an input; When you click a link, it sends the link URL to a background script; Fortunately, the code does not monitor what you type. Apparently, the purpose of this spyware is to collect data about gamers for promotional purposes.
This discussion has been archived. No new comments can be posted.

Popular Steam Extension 'Inventory Helper' Spies On Users, Says Report

Comments Filter:
  • by DrYak ( 748999 ) on Wednesday September 20, 2017 @06:19AM (#55230281) Homepage

    Yet another argument showing why it is better to favour software with visible source code.
    Not that the GPL contains "magic pixie dust" in it that miraculously repel this kind of abuse.

    But it just makes this kind of analysis a little bit more easy.

    Here author manager to get a hang of what the extension is doing, because it's still in javascript (theoretically humean-readable) though still heavily obscured (the analyst provides links to slightly de-obscured files).

    If this was a completely opaque closed source binary, analysis would have been much more difficult.

    On the other hand, if this was a completely free/libre opensource software, this kind of analysis would have been much easier and could happen much earlier (and you would expect de-spyware-ified forks to pop-up on github at the same time as such disclosure).

    • by DrXym ( 126579 ) on Wednesday September 20, 2017 @06:23AM (#55230291)
      Source code doesn't help unless you have a surefire way to guarantee that the binary you're running was built exactly from that source code. And if the binary has dependencies on other libraries then the same applies to them. And the compiler toolchain. And if the binary executes html content or scripts, potentially fetched from the web then even that doesn't prevent potential abuse.
      • by Anonymous Coward

        There's an extremely simple surefire way to guarantee that the binary you're running was built exactly from that source code: compile it yourself.

      • It doesn't help at all. The first thing anyone even WITH source code would do to analyze the kinds of network requests a blob of code made would be to run the whole environment in something like Charles' Proxy, and observe what network requests go out.

      • I love the grandparent. It makes me chuckle.

        1) You clearly DON'T need source code to notice when people are opening connections every time you move the mouse. Because we wouldn't know about this at all if that was the case.

        2) Having source code doesn't guarantee anyone is looking at it, or knows what to look for.

        3) Having source code doesn't mean you have source for the entire toolchain or libraries.

        4) Having source code is no proof that it matches the binary. https://www.ece.cmu.edu/~gange...

        • Slashdot ate the rest of my damn comment!

          Ken Thompson's Reflections on Trust showed back in the 80's that you can have "clean" source code, and a tainted self-compiling compiler that produces tainted code from completely clean code.

          5) Source code != security. Open source means it's easier to verify the SOURCE. It's not magically easy to verify the BINARY.

          [PDF]

          https://www.ece.cmu.edu/~gange... [cmu.edu]

        • Exactly. The problem with the whole "source code equals safer" is that the argument breaks down into a giant is ought problem [wikipedia.org] because the user is assuming because the source IS available that someone with the requisite skills and years of experience in code analysis OUGHT to be vetting the code and time and time again we have seen that simply isn't the case.

          If its something like a voting machine, where you have groups willing to spend the money to hire experienced programmers to go over the code with a fine

      • I believe that's why Debian is doing the repeatable builds project. You should be able to replicate the build exactly.

    • by Anonymous Coward

      I'm currently examining all the source code on my system that I got in 1992. I should be done in another 77 years. Until then, NO NEW SOFTWARE!

    • Yet another argument showing why it is better to favour software with visible source code.

      No, it isn't.

      You'd think the serious vulnerabilities that have come up in recent years in open source projects would put the final nail in the coffin for the many eyes theory.

      It doesn't work because no one is actually looking and very few people have the expertise to understand what they are looking at in the first place.

      The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.

      • The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.

        Even if this is the only advantage, that alone puts it light-years beyond proprietary code.

  • Could it just be related to creating and working with a custom ui on the steam website?

    • It is trivial to view the source code of these extensions and analyze exactly what they are doing. The analyser even attached the relevant source code. If you don't believe him you can look it up yourself.
    • Could it just be related to creating and working with a custom ui on the steam website?

      Could be yet I treat them all the same.

      I installed steam on Win10 and it started with the system. Few programs get that honor and disabled with Autoruns, and now starts when I want it running.

  • by known_coward_69 ( 4151743 ) on Wednesday September 20, 2017 @07:14AM (#55230407)

    from a nobody? Most of these seem to be from anonymous people hiding behind web email and aliases and you are literally giving them admin access to your computer.

    I have maybe 2-3 extensions and they are from known entities

    • It is breathtaking how the advertising cabal has literally taken control over the Internet. I think this is one of those creepy influences. I doubt the government would be any less creepy or any more transparent though.

      I don't install ANY extensions other than an ad blocker. That probably still exposes me to potentially creepy Google behavior hidden inside chrome, but I don't see much of an alternative.

    • by bravecanadian ( 638315 ) on Wednesday September 20, 2017 @09:55AM (#55231131)

      My favourite extensions are the ad blockers owned by advertising companies.

      I mean at this point, you literally can't trust anything to not be spying on you. Not even just your computer, but your phone, your home automation, your thermastat, your car.. the list just goes on and on.

      It's ridiculous that things have gotten to this state.

      • You can't trust anything you're currently buying with a computer onboard and external communication abilities not to spy on you. My current car can't spy on me - it's more than a decade old and doesn't have much of anything tech-wise in it. My limited home automation is also fairly old, and has restricted network access. Now, if I bought a Tesla, or went with Nest toys, yeah, I can't trust those.

        I agree with how ridiculous things have gotten, and unfortunately it seems the only real solution is old

    • I have maybe 2-3 extensions and they are from known entities

      Do you keep watch to make sure that those extensions don't get sold to someone else?

  • by Anonymous Coward

    visited the first link and at the top of the article is a link to Reimage plus, a tool for "fixing common windows problems". It is also a 100% safe download (because they say so) and the link is to an unknown binary blob (.exe, thankfully i cant even run it)

    can we bring back news for nerds? linking to such a click bait website is bulshit and you (the editors) should know better! seriously, the reddit link would have been enough for this story

  • Trash "Report" (Score:2, Informative)

    by Anonymous Coward

    The "Report" is trash.

    > "Steam has yet to issue any comment on this matter."

    I loathe Steam with a passion, but this is THIRD PARTY EXTENSION not made or supported by Steam, why the fuck would steam comment on it?

    > "What do you think about Steam spying on its users? "

    Steam most certainly does "spy on its users", but this THIRD PARTY EXTENSION is not part of that.

  • OMG, users are being spied on by an app! Quick, delete it! Do continue to use Google, Facebook, Amazon, Apple and Verizon products, though.

    • by Anonymous Coward

      Do continue to use Google, Facebook, Amazon, Apple and Verizon products, though.

      COrrent Me if i'm wrong, but Could you hAve left Someone off your lisT?

  • Always assume that any software that can talk over the internet is spying on you. It seems to be true more often than not.

  • ... or anything else for that matter.

There's no such thing as a free lunch. -- Milton Friendman

Working...