A recent update for the popular Google Chrome extension Steam Inventory Helper added a monitoring component to the extension that monitors the browsing activity.
Steam Inventory Helper is a popular Chrome extension for the gaming platform Steam that improves inventory management, trading, buying, and selling. It is particularly popular with CounterStrike Global Offensive players, but works with other Steam games that come with virtual items support as well.
Reddit user Wartab was the first to report the monitoring. A post on the official CounterStrike Global Offensive forum on Reddit highlights what Steam Inventory Helper does in the background.
Basically, what Steam Inventory Helper does is execute code on any page load, even on internal pages such as about:blank.
The code that the update introduced monitors the following:
- The referrer (the site you came from).
- The time the site was loaded and exited.
- When the mouse is moved.
- Input focus.
- Key presses (but not what is typed).
It sends any link that you click on while the extension is active to a background script. This script monitors HTTP requests that are made, and send a summary of these requests to a server.
Bottom line is: they are monitoring what sites you visit and may be sending a lot of your online activity to their own server. I couldn’t figure out when they do it, yet, but it seems to be for promotional stuff. More importantly, in the future, even if what they do now is legit, you will not be informed about any changes to their permissions, because it basically already has every permission it can get in that regard.
The browser extension for Chrome requested new permissions during the update, and this is how the change was spotted.
Steam Inventory Helper requests to “read and change all your data on the websites you visit”. It is clear that this is not needed for the very specific task of managing Steam inventory.
Good news is that users need to accept the new permission before the extension is enabled after the update. If they don’t, the extension is disabled and won’t monitor the browsing activity.
The highly rated extension received a fair share of one star ratings already by users who noticed that it requested new permissions that are used to monitor users.
If you are using the extension, it is recommended that you uninstall it right away as you may not want your entire browsing history to be transferred to a third-party server.
This is not the first time that Google’s automated scripts let malware or adware slip by, and one of the reasons why I prefer Mozilla’s system that vets any extension update or new extension before it is published.
Tip: Verify Chrome extensions before you download them.