Steam Inventory Helper is an extension for Chrome that allows you to manage your Steam inventory right from your browser. It’s very popular as it makes trading on Steam a lot easier and quicker. But something fishy is going on.
Previously it only asked for permissions allowing access to data from Steam related website but now it wants to “Read and change all your data on the websites that you visit”.
Reddit user /u/wartab took a dive into the code to see exactly what it was doing. According to him it basically monitors everything you’re doing online apart from your keyboard inputs. He writes on his post that Steam Inventory Helper will “Monitor when you are entering the site, where you are coming from on this site, when you are leaving the site, when you are clicking something, when you are moving your mouse (which they even failed to do properly), when you are having focus in an input, and you are pressing a key! It is not monitoring what you type. But when you click something, and it is a link, it will send the link URL to a background script.”
Naturally, it didn’t take long for the developers of the extension to respond. They apologised and said they would “take down the current version and upload a version without the script and permissions to the store in the following 2 or 3 hours.” They went on to say “We get the point of our mistakes. This thing will never happen again.”
What a kind and reasonable sentiment. What a shame they apparently didn’t mean it. They later made a new post on Steam wondering “why people talk about keyloggers and sh*t? Selling info to the other sites? Are you crazy? Please google it, how it works. This is ridiculous.” And going on to say “it is your choice to believe us or not.”
While certainly they may not be up to anything harmful, it is very suspicious that they would suddenly ask for such broad permission out of nowhere and after promising to undo it, do a complete 180 and taking a somewhat aggressive stance against users that are displeased by the change. I would recommend uninstalling it for now until either they undo this change or someone can confirm that it isn’t being done maliciously.