A popular extension that helps gamers buy and sell digital goods on the Steam platform is now attempting to track their movements all over the web. Steam Inventory Helper, or SIH, today prompted users to accept new permissions that, according to Redditor ‘wartab,’ would:
Monitor when you are entering the site, where you are coming from on this site, when you are leaving the site, when you are clicking something, when you are moving your mouse (which they even failed to do properly), when you are having focus in an input, and you are pressing a key! It is not monitoring what you type. But when you click something, and it is a link, it will send the link URL to a background script.
In a case of severe overreach, the plugin monitors every HTTP request and sends results to its own server if certain conditions are met. It’s unclear what the dev team behind SIH is looking for, exactly, but whatever it is could result in unsuspecting users sending back a fair bit of unintended data, some of which is potentially sensitive.
Future updates, once you agree to the current ones, could be even more extreme; you’ve essentially given the plugin all the permissions you can offer it. With this level of access, the current threat might be relatively minor compared to future iterations.
According to the plugin’s developers:
As you will see it says that we will communicate with the cooperating websites, this will help us to get bigger functionality on the Steam based resources for games and inventories. Also you will see the string about “read and change all your data”, this is just a Google principle, don’t be afraid of that, we won’t read and change your data, we won’t get any access to your accounts and stuff like that.
Update: The developers of Steam Inventory Helped have posted an apology on their Steam community page, saying that the permissions were required to get a sense of their users’ profiles:
We are sorry that this case was so painful to you and we don’t want to get our users feel uncomfortable. The biggest % amount of this permissions reason was to upgrade our services to understand how users are using SIH and to improve its work in the future, to know the countries from where you are visiting us to get more languages, to get the active users statistics, because google don’t provide that info correctly. The service that should help us with this data was SimilarWeb. To make it all clear.
We have understood the possible risks of losing you, guys, and we are not going to force that anymore. We are taking down the current version and uploading the version without this script and permissions to the store in the following 2 or 3 hours.
Would you trust the developers and continue to use SIH after this? It looks like the commenters on that Steam page are mostly against the idea; let us know what you think in the comments.