Popular Steam Extension 'Inventory Helper' Spies On Users, Says Report (windowsreport.com) 66
SmartAboutThings shares a report from Windows Report: If you installed the "Steam Inventory Helper" on your computer, you may want to uninstall it as soon as possible. Recent reports suggest that this extension used to buy and sell digital goods on Steam is spying on its users. Redditor Wartab made a thorough analysis of the tool and reached the following conclusions: The spyware code tracks your every move starting from the moment you visit a website until you leave. It also tracks where you are coming from on the site; Steam Inventory Helper tracks your clicks, including when you are moving your mouse and when you are having focus in an input; When you click a link, it sends the link URL to a background script; Fortunately, the code does not monitor what you type. Apparently, the purpose of this spyware is to collect data about gamers for promotional purposes.
Yet another argument for source code (Score:5, Interesting)
Yet another argument showing why it is better to favour software with visible source code.
Not that the GPL contains "magic pixie dust" in it that miraculously repel this kind of abuse.
But it just makes this kind of analysis a little bit more easy.
Here author manager to get a hang of what the extension is doing, because it's still in javascript (theoretically humean-readable) though still heavily obscured (the analyst provides links to slightly de-obscured files).
If this was a completely opaque closed source binary, analysis would have been much more difficult.
On the other hand, if this was a completely free/libre opensource software, this kind of analysis would have been much easier and could happen much earlier (and you would expect de-spyware-ified forks to pop-up on github at the same time as such disclosure).
Re:Yet another argument for source code (Score:5, Insightful)
Re: Yet another argument for source code (Score:1)
The source code being available also makes it easier for somebody to fork it and introduce malware components. Just make changes, recompile, distribute corrupt new version as a binary. That is much more work if the full source code is not available to corrupt.
So,it cuts both ways. Open source is in no way a panacea.
Re: (Score:1)
There's an extremely simple surefire way to guarantee that the binary you're running was built exactly from that source code: compile it yourself.
Re: (Score:2)
You have a point.
I would modify it to suggest that your point is that he's "less wrong", in the sense that if it is simply harder to get a compromised compiler into the hands of a user. A variety of obstacles occur in that process. If the user is pulling their binaries over SSL from debian, then debian would likely have to be compromised (Which feels less likely than compromising some application binary in a general sense).
Re: (Score:2)
It doesn't help at all. The first thing anyone even WITH source code would do to analyze the kinds of network requests a blob of code made would be to run the whole environment in something like Charles' Proxy, and observe what network requests go out.
Re: (Score:2)
I love the grandparent. It makes me chuckle.
1) You clearly DON'T need source code to notice when people are opening connections every time you move the mouse. Because we wouldn't know about this at all if that was the case.
2) Having source code doesn't guarantee anyone is looking at it, or knows what to look for.
3) Having source code doesn't mean you have source for the entire toolchain or libraries.
4) Having source code is no proof that it matches the binary. https://www.ece.cmu.edu/~gange...
Re: (Score:2)
Slashdot ate the rest of my damn comment!
Ken Thompson's Reflections on Trust showed back in the 80's that you can have "clean" source code, and a tainted self-compiling compiler that produces tainted code from completely clean code.
5) Source code != security. Open source means it's easier to verify the SOURCE. It's not magically easy to verify the BINARY.
[PDF]
https://www.ece.cmu.edu/~gange... [cmu.edu]
Re: (Score:2)
Reproducible Builds. (Score:3)
That's what Reproducible Builds [reproducible-builds.org] are for. {...} At a Debian repository near you (and not only there).
Which is the entire point of reproducible builds... :-P
Re: Yet another argument for source code (Score:2)
I believe that's why Debian is doing the repeatable builds project. You should be able to replicate the build exactly.
Re:Yet another argument for source code (Score:4, Informative)
Because as far as I can tell it's a Chrome extension, but for some reason neither the summary nor the linked articles bother to make this clear.
Re: (Score:2)
Sometimes it's a thin line between benign and malicious.
Re: (Score:3)
Absolutely. Knowing that gamers spend 85% of their time on Pornhub is going to help advertisers how exactly?
Re: (Score:2)
But the two tings are not mutually exclusive, I prefer good developer reputation + having the source code.
I totally agree! (Score:1)
I'm currently examining all the source code on my system that I got in 1992. I should be done in another 77 years. Until then, NO NEW SOFTWARE!
Re: I totally agree! (Score:1)
Also make sure you review the code in the embedded controllers of your keyboard, mouse, hard drive, optical drive, video card, printer, router, and usb hub. And that little adapter board between your optical drive and the sata cable, too, obviously. They are all seperate processors with their own toolchains. Oh, and the jtag probe you attach to some of them to monitor what they are running.. better review the code in that first.
Again, source accessible. (Score:2)
He's being realistic. Code review takes time. Proper code review takes even longer. With even small OSes running into the millions of lines of code, and the applications running on top of it having millions more lines of code, it would take years, if not decades,
And again, as I've said starting the thread :
access to the source code helps a lot.
In this case, because Linux kernel is GPL (and so is most of the GNU userland), it means way much more people can - if they want (and in practice, they do) - investigate to find problematic pieces of code.
Nobody said that the millions of lines of code needs to be investigate one-by-one and that all the decades must happen serially.
Studyable. (Score:2)
Some people will try to justify this nonsense by saying, "It's ok, they disclose what they're collecting and sharing!" or the even more idiotic, "It's ok, you can disable some of this data collection and sharing!".
None of that matters!
None of that matters, indeed.
My whole point is that :
- even if Mozilla DID NOT disclose it.
- even if it was NOT POSSIBLE to disable.
Because the source code of Firefox is accessible, ANALYSTS WOULD STILL be able to notice this.
And DEVELOPERS WOULD STILL be able to make fork with possibility to disable.
(see: TorBrowser)
Again, like I said aboe. GPL is NOT "magic pixie dust".
But helps lowering the bar to this kind of control.
Re: (Score:2)
Yet another argument showing why it is better to favour software with visible source code.
No, it isn't.
You'd think the serious vulnerabilities that have come up in recent years in open source projects would put the final nail in the coffin for the many eyes theory.
It doesn't work because no one is actually looking and very few people have the expertise to understand what they are looking at in the first place.
The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.
Re: (Score:3)
The only advantage of open source is that if you are one of these rare unicorns with the technical ability, you can fix it yourself. Or continue/fork projects yourself.
Even if this is the only advantage, that alone puts it light-years beyond proprietary code.
Possibly innocent? (Score:2)
Could it just be related to creating and working with a custom ui on the steam website?
Re: (Score:1)
I'm not so naive that I presume innocence on the part of developers, but there's also a lot of sensationalist articles out there. I didn't think the summary was very informative, and the first link goes to a pretty sketchy looking site. The reddit thread has better detail on how this a malicious extension and developer. Also please go drink bleach.
Re: (Score:2)
Re: (Score:2)
I was asking if there was an alternate interpretation of the activity, not questioning the claimed activity.
Re: (Score:1)
you mean... alternative-facts...
Re: (Score:2)
Could it just be related to creating and working with a custom ui on the steam website?
Could be yet I treat them all the same.
I installed steam on Win10 and it started with the system. Few programs get that honor and disabled with Autoruns, and now starts when I want it running.
Why would anyone install a Chrome Extension (Score:3)
from a nobody? Most of these seem to be from anonymous people hiding behind web email and aliases and you are literally giving them admin access to your computer.
I have maybe 2-3 extensions and they are from known entities
Re: (Score:2)
It is breathtaking how the advertising cabal has literally taken control over the Internet. I think this is one of those creepy influences. I doubt the government would be any less creepy or any more transparent though.
I don't install ANY extensions other than an ad blocker. That probably still exposes me to potentially creepy Google behavior hidden inside chrome, but I don't see much of an alternative.
Re:Why would anyone install a Chrome Extension (Score:5, Interesting)
My favourite extensions are the ad blockers owned by advertising companies.
I mean at this point, you literally can't trust anything to not be spying on you. Not even just your computer, but your phone, your home automation, your thermastat, your car.. the list just goes on and on.
It's ridiculous that things have gotten to this state.
Re: (Score:2)
You can't trust anything you're currently buying with a computer onboard and external communication abilities not to spy on you. My current car can't spy on me - it's more than a decade old and doesn't have much of anything tech-wise in it. My limited home automation is also fairly old, and has restricted network access. Now, if I bought a Tesla, or went with Nest toys, yeah, I can't trust those.
I agree with how ridiculous things have gotten, and unfortunately it seems the only real solution is old
Re: (Score:2)
I have maybe 2-3 extensions and they are from known entities
Do you keep watch to make sure that those extensions don't get sold to someone else?
oh the irony (Score:1)
visited the first link and at the top of the article is a link to Reimage plus, a tool for "fixing common windows problems". It is also a 100% safe download (because they say so) and the link is to an unknown binary blob (.exe, thankfully i cant even run it)
can we bring back news for nerds? linking to such a click bait website is bulshit and you (the editors) should know better! seriously, the reddit link would have been enough for this story
Trash "Report" (Score:2, Informative)
The "Report" is trash.
> "Steam has yet to issue any comment on this matter."
I loathe Steam with a passion, but this is THIRD PARTY EXTENSION not made or supported by Steam, why the fuck would steam comment on it?
> "What do you think about Steam spying on its users? "
Steam most certainly does "spy on its users", but this THIRD PARTY EXTENSION is not part of that.
OMG! (Score:2)
OMG, users are being spied on by an app! Quick, delete it! Do continue to use Google, Facebook, Amazon, Apple and Verizon products, though.
Re: (Score:1)
Do continue to use Google, Facebook, Amazon, Apple and Verizon products, though.
COrrent Me if i'm wrong, but Could you hAve left Someone off your lisT?
Always assume (Score:2)
Always assume that any software that can talk over the internet is spying on you. It seems to be true more often than not.
Re: (Score:2)