-
Notifications
You must be signed in to change notification settings - Fork 8
Security
It is a legit question to ask for the security, especially for an extension which can store all the data you need to access your Steam-Account(s) and this way put you at high risk to lose access to your accounts. Valve was clever enough to circumvent complaints about lost accounts by just adding the Mobile-Authenticator (2FA). If you use 2FA and your account got stolen it is probably 100% your fault and this way programs which use both Steam-Login Credentials and 2FA are risky no matter what.
[To be removed]: There isn't any encryption for this extension yet and it needs to be added for identity-secret, password, api-key, product-keys and probably some other data.
To understand Chrome's security-concept (Extensions) we have to understand, that each website which is accessable by SARA or another extension, can read the data which is inside the page by injecting a script. A very popular extension to do this easily is Tampermonkey. This said, you have to take care which userscripts you're using in Tampermonkey and if you feel the need to use some userscript on Steam you have to take care if the script "phones home" -> sends data to foreign Website/URL/IP. To give you an example: If some extension like chromeIPass or chrome itself injects login-credentials into a page, they can be read by userscripts or extensions. Userscripts and extensions are also able to inject new html-elements into the page-head or -body and execute an existing function in the JS-Scope of the page and this way getting user-specific data/cookies and more. BUT, it isn't possible to execute Javascript which is sandboxed inside another extension, except the developer allows it and defined it in his manifest.json. It should be clear that no matter what the Extension-Developer is doing to protect the users data, it can easily be accessed by others if the user doesn't uses his brain before installing an extension or userscript. It is also a good idea to use OpenSource-Extensions, especially if it is Steam-related and could potentially read and send your data. There you have multiple reasons to immediately stop using SIH and one of the reasons why I started developing this Extension further by implementing a bulksell-option lately. To make it short: Every extension has its own JS-Scope which acts like a sandbox and the only Scope they can share is the Scope of a website where they can inject scripts to read data like passwords from input-elements or cookies in example. As long as you're using an encrypted connection (https) your data (webpage) should be secure and can't be read by anyone who is sniffing your network-traffic, except he has direct access to your router/switch/modem. This extension is only injecting scripts to the pages DOM to read some needed data in your inventory. SIH in example injects their whole (Content-)Script into the pages DOM and directly interact with variables of the pages JS-Scope but are also vulnerable to scripts trying to read their data. There is more coding to do for me, because I can't transfer variables like g_ActiveInventory, since they're using references to dom-elements and have to sort out the needed data. I'm aware this isn't the best approach, but in my oppinion adds more security.
To go more in depth I have to explain how this extension stores your data and why. During the development of this app I tried several approaches to make this extension available for public, but had some struggle to figure out some easy setup for every user which doesn't involves any third-party program. I was using a "real" database (MySQL) in the beginning which would be a good approach if it wasn't to difficult to set up for some users. After some time I read about WebSQL and tried to utilize it, found some nice grid (Syncfusion) and after some time realized it is outdated and should be replaced with IndexedDB. So I started to build my extension with IDB using the Dexie-Wrapper (thanks to @dfahlander for his great lib) and surprisingly it provides a good performance. (for browser-based databases) The database itself runs in the context of the page where it is used and for this extension it runs in the "background"-page, which is only accessable by this extension. And again, the point where your data could get exposed to other tools like extensions or userscript is in the context of a website (steampowered.com, ...) by just injecting scripts to the pages DOM. Again, made by design, there is nothing a Developer could do to protect you from data-theft if you use scripts and extensions which steal your data - just what I wrote above. [On future Update] What we can do to protect your data is to encrypt your data in a way where we can decrypt it later. To do so we need a key/password which you're asked for on every browser-start or extension-reload to "unlock". This way we can make sure that attackers which can read your local data will have a hard time to decrypt it, as long as you're using a secure/long password for encryption. Also when synchronizing with google-api (optional) the data will always get send encrypted and this way will also be unreadable by google or attackers without using much resources to decrypt it.
But thats not all. There is a third approach which I don't want to use, since it isn't adding more security to your data. You could "log into this extension" by using an OAuth-API ("Sign in with Steam" in example) and this way establishing a secure/encrypted connection to generate some kind of Session-Token which then can be used as password to access your encrypted data. In the end even with this service the described security-problems would be the same. It is up to the user to secure his data and it is up to the developer to close vulnerabilitys. If you store your sensible data in a text-file, someone gets access to your pc and finds this plaintext, you're out of luck.
To sum this thread up: Don't download software from untrusted places. Don't use any shady steam-related userscript/extension/..., even this one and you should be fine. If you want to use this extension you have to decide on your own if you can take the risks and if you have enough experience to know what you're doing.
For more explanation I suggest: Blog Chromium