jshackles
Gentlemen, we can rebuild it. We have the capability to make the world's first enhanced store. Steam will be that store. Better than it was before.
I would strongly recommend anyone that still has this to uninstall it immediately and (optionally) report it to Google. Normally I try to stay quiet about SIH since it's technically an Enhanced Steam competitor on the Google web store and I don't want people to think that I'm trying to drag their name through the mud just to get more eyeballs on ES or draw negative attention to their code to paint mine in a positive light.
But fuck me, I can't stay quiet about this update and what it represents to the end users. TL;DR = this update tracks all of your online activity and sends the data back to SIH's servers for unknown reasons. Their privacy policy was updated to accommodate this sort of data exfiltration, and continuing to use the software means you agree to share the entirety of your browsing activity with SIH and it's parent company CSGOFast.
Technically speaking, this update adds "<all urls>" to the manifest file's permissions. Unless you actually need your extension to run on every page, this is a frowned upon permission. My recent ActivateOnSteam extension has this permission, but the permission is actually required as you need to be able to access the functionality from the context menu on any page. So I'll agree that it has it's usefulness but I can't for the life of me think why SIH would need it outside of the developers either being a) lazy or b) shady.
More to the point, this new update adds a background script that runs on every page (js/common/frame.js) which ships data back to their servers located at steamih.com (not even their primarily recognized domain, private registration exactly 2 months ago). Specifically, this script adds what's called an EventListener for 'click', 'maouseover', 'mouseout', 'focus', 'keydown'. Oops, looks like they mistyped 'mouseover', but it'll probably get fixed in a future release. So essentially, any time you click on a webpage, mouseover an element (presumably, once this gets fixed), move your cursor outside of an element, focus (for example, enter into a text field), or press any key this new script starts packaging the data to be shipped to them. This is what's commonly referred to as a keylogger.
As if this weren't enough, they've also extended the base webrequests handler in Chrome. This means that the extension will package data for shipment after each request your browser makes - and remember, these requests aren't limited to Steam or even Steam-related sites. Mind you, there doesn't appear to be any evidence that they're capturing and transmitting any of the actual data you POST, but using this method would give them a very clear indication of exactly every site you've visited, every button you've hovered over or clicked on, and a lot of data that builds a pretty package that they would most likely be able to get top dollar from advertisers / ex-lovers / employers / anyone willing to pay.
I see a lot of people dismissing these new permissions as "oh, you're just being paranoid" and it's absolutely frightening. This is literally the "worst case scenario" when it comes to handing private data to an external entity. People are countering with "Oh but you probably use adblock and it has this same permission" which is a false equivalence because while adblock (or similar things, such as ActivateOnSteam) could in theory do what SIH is now doing - they don't. Because it's fucking evil. I wouldn't even expect to see this level of fuckery on an official Facebook extension or Google anything - but to see this on a closed source application that's owned by a Russian gambling site is worthy of every red flag you can think of.
Sorry for the rant. Seriously though, it's time to uninstall this extension and find alternatives.
