URGENT: SECURITY: New maintainer is probably malicious #1263
Comments
Are trckingbyte.com and trckpath.com part of Open Web Analytics? Because what I am seeing in @deanoemcke's post is him saying that he can't guarantee if the changes made are legitimate analytics or if they're malware:
I apologize for possibly exacerbating the "panic", but I am just asking, and trying to put a little extra emphasis on this, because when you say:
It just strikes me as sounding a little too forgiving / innocent, though I'm sure that's not your intent. I also want to emphasize, @deanoemcke goes on to say in that post.
We know that these new "analytics" were not communicated to the user. They do violate the established privacy policy. They violate Google's policies, as the information provided all over the extension's page at the Web Store is now inaccurate (owner, contact, saying the project is open source, etc) and the privacy policy itself is no longer accurate. and @deanoemcke had previously assured us when this sale was announced:
Although, apparently he cannot be held responsible for the actions of the current owner of the extension. But, this is why mom said you shouldn't make promises that you can't keep. I appreciate you making this issue @TheMageKing, and I thank you for creating a more centralized location for discussion about this topic, which will hopefully reach more users and give them the information they need in order to make decisions about what to do. I apologize, because I realize much of what I said here is simply repeating what you already provided. I just felt the need to emphasize a couple of things. Personally, I reported this extension at the Chrome Web Store on October 29, with the following:
I also reported the user @greatsuspender and the main repository to GitHub on October 29 with the following:
|
AFAIK, Dean's intention there is to comment that he doesn't know where each user draws the line between analytics and malware. Some people might think any sort of analytics is malware: others might disagree. As for the trckingbyte.com and trckpath.com paths, they are not involved. They were found in other extensions, but do not appear in the distributed Great Suspender. My comment on the other thread explains what they are, and how they are not related to open web analytics (Okay, they are, but related as "Hackers rewriting open-source software for malicious purposes", not "Official part of system")
Actually, it was. The open web analytics system, host of owebanalytics.com, really is a google analytics alternative. The code is hosted on a github repo with 1.3k stars, and there are people elsewhere who like it. The only reason I said "appears to be" is because I am quite busy, and I didn't have time to try and conduct any sort of detailed probe beyond that the website existed and wasn't written by a poor English speaker.
Indeed. This is the biggest reason why I am saying that they "appear malicious": those actions are major red flags, and it is sufficiently suspicious to justify a lot more scrutiny and skepticism than simple mistakes. But there is not yet evidence that they are actually malicious: everything can still be well explained by stupidity. I'm not saying everything is rosy; there are major problems, right now. But it doesn't appear that we should start fearing for the safety of our passwords.
Yeah, mom seems to be right about a lot.
Fair enough. I think I will edit that top post, to reflect some of this.
I, too have reported this on the web store. As a general rule, Google has more powers to remediate than Github: given that the source on Github is innocent, I doubt they will do much I'll also respond to your comment in the other thread here, to condense this discussion more.
You might not be able to tell, but I hedge what I say quite a bit. I am not a Javascript developer, though I do comprehend it perfectly well. Nor do I design manifests for chrome applications. By my understanding, based on a reading of the documentation on the subject, Google requires that all websites which the extension can connect to be independently specified in the manifest.json. In the section that I understand to control that, many sites are listed, including google-analytics.com, stats.g.doubleclick.net (the google analytics sites), and cdn.owebanalytics.com. The trck paths are not there, nor does the word 'trck' even appear anywhere in the distributed code. So while I don't know, I can say that I am as certain as I can be, short of a Google developer stating otherwise.
I got that same notification: however, I found no evidence of those functions when I checked. It was very weird. I'm not certain of how to check on the event handler, but I did verify that no "getPassword" function was defined. |
|
Thanks @TheMageKing. I'm just going to stfu and stop commenting about this entire situation because I'm obviously pissed off about the whole thing and my incivility isn't deserved or beneficial to anyone. Genuinely apologize to you and anyone else I may have been rude to. Good luck to all. |
|
You were fine: this is a pretty scary thing going on here. |
|
I would like to share my own decision and how it worked for me. THe answer is quite well without TheGreatSuspender so far! After hearing what has happened, I feel very uncomfortable about TheGreatSuspender even though I really enjoyed it up to now. A quick check shows domains with bitcoin in the name and there is a strong attempt to remain anonymous. There is no way I can trust it. I have used TheGreatSuspender along with Tabs Outliner which I also love. I decided to buy a Pro license from the author, Vladyslav Volovyk who I found is in the Ukraine. Even though there have been rumors and posts on the extension site, even quite recently about the it being abandonware due to lack of responses, I have found posts by the author elsewhere and he strikes me as being an okay and honest programmer. I cannot hold it against someone if they do not want to dedicate their life to something, and I think it is not abandonware. I decided I trust him far more than TheGreatSuspender, it works offline, and I want the automatic downloads and extra functionality of the non-free version. I bought Tabs Outliner pro version for about US$14 with a VISA card and it was instant gratification (even though a week ago someone said they could not purchase.) Chrome on a 2019 Macbook Pro. It works great and has automatic backup both local and to Google Drive. I just wanted to post here and let you know I have just converted over 1000 tabs, which means going to each window and unsuspending them, then in Tabs Outliner just click the X to close the entire window. And maybe type a note to name the window, or not. Poof! All those minimized windows from TGS are gone. I started feeling lighter. But the pages can be reopened from the Internet obviously. I think you can even save a downloaded page to it, and you can write notes in the tab bookmark tree and so on. I had seen Chrome slowing everything down (surprising on a new Mac) to the point I had started using Safari in parallel. Well, I saved over 1.5GB according to the Chrome task manager and I feel a lot safer. I noticed that actually Tabs Outliner even saves windows that had crashed a long, long time ago. But they also were TheGreatSuspender links. So now I am going to each ghost of a crashed window, restoring it from the net or not, and clearing it all out. When done I will fully deactivate and uninstall TheGreatSuspender. Hope my experience helps. Tabs Outliner works fine in free mode and I have never lost data with it, though somewhere I saw written that Chrome's storage is not bulletproof. At any rate I feel quite happy with my decision and I think TGS anyway was getting unwieldy at 1000 tabs. This was a good opportunity to lose some weight. |
|
p.s. as far as storage not being bulletproof I can confirm that some windows that had been suspended with The Great Suspender recently did not survive a chrome crash - TGS was unable to restore them. So frankly, I think the idea of Tabs Outliner is superior to TGS even though it doesn't have the cute anime eyes. Good luck everyone, I do hope some resolution is found and the new pruchaser just turns out to be clueless, but I doubt it. Injecting anything into my data along with the other scary stuff mentioned by others is just not acceptable when I use this computer for work. I feel better without TGS. |
|
This is concerning, so I too have migrated away from The Great Suspender. I can recommend Tabs Outliner as a good replacement. |
|
Thanks guys!!! I think that's definitely the kind of extension I was looking for due to my heavy use of tabs and "contexts" (i.e. links open from the same page). Will try & adopt for sure!!! |
|
For anyone who is concerned by the "stealth tracking" (i.e. it not being mirrored on Github for some reason), you can always install from source. It is easy: go to HOWEVER, I DON'T SEE THE CURRENT ISSUE (in itself) AS A REASON TO FREAK OUT:
This is from the actual extension installed from the chrome store, 'trackingOptOut' option is set by that checkbox, and Yes, this is weird that they "hid" it like that. Might have to do with the hardcoded siteId and apikey, or maybe they "just wanted to experiment with it" (on users' machines, yes, but how else do you experiment with tracking?) Yes, they handled their PR horrendously, but that doesn't mean they are automatically malicious! (And actually, "any PR is good PR". If it spreads and then it gets proven they did nothing malicious, then more people might use the extension and more would donate to them.) Personally, I'm going to use the "developer mode install" option, but not to avoid that tracking. Mostly because of #1259 and other autoupdate-related issues, as developer-mode extensions don't get autoupdated. |
|
Okay, as was mentioned on the other issue, the CDN isn't affiliated with OpenWebAnalytics so it can, in theory, serve anything. |
TheMageKing
changed the title
|
@evg-zhabotinsky The GPL violation was a stretch, only important we needed a way to poke the maintainer. Further, the extension on the web store is not just the src folder of this repo: there is a significant difference in the manifest.json. |
To anyone who wants a legitimate reason to have hundreds of tabs open at once:My work involves using an issue tracker (Jira). For each ticket assigned to me which is not yet out in production, I open a new window and pin that issue as a tab. In each window, I have tabs open relating to all the research I did while working on that ticket. This results in dozens of windows, each with dozens of tabs. This isn't an ADD thing; this isn't a bad habit thing; this is an intentional choice I made which boosts my productivity greatly, and keeps me on-track over so many more things than my peers, helping me task-switch much more easily without losing any context. I need a suspend extension to enable this, so that the browser doesn't take up so many resources as to make my workstation unusable for anything else. Before you tell me to use OneTab for this: I do, to archive windows for old tickets in case I need their context in another ticket. Open windows are for active tickets, since I do switch between them throughout the workday. |
There very well may be... I just am not familiar with any to recommend such. And due to the previously discussed security concerns, and even Google's own recommendations, you should always run the minimum extensions necessary for exactly this reason. Hence the suggestion that people TRY not utilizing one again. When I first started using TGS, Chrome was eating up 3x the memory it does now, so depending on use-case it may not be necessary for some people (which makes it even more ideal).
Have you looked into the latest changes? It does not completely discard the tab, However it slows the heck out of almost all background tasks and (completely?) halts requestAnimationFrame on background tabs, which won't necessarily help memory, but could depending on why the page is using so much... But additionally the #tab-groups-collapse-freezing may not be completely automatic but it will probably fit into a lot of people's workflows... There's not really great documentation on it yet but:
Not sure what you're referring to completely. If the Marvelous Suspender has been rewritten to not require the extensive permissions requested, that's great and could be a viable solution for some people. I have not looked through TGS's code to see what exactly it's using these elevated permissions for, but at least two of the API's included are removed so it would take at least some amount of rewriting, for sure. It may be minor cosmetic stuff and an easy fix, don't know haven't looked into it.
I agree in general. However, keep in mind, there are MANY different use cases. And some of us are in regulated industries where a data breach is much more significant than someone looking at some n00ds. And often, the most guilty people seem to be management who seem to be given local admin or power user access and aren't clamped down nearly as much. You're definitely right, nothing is for certain, but I certainly wouldn't want to guide a user into another precarious solution, would you?
True, but the vast majority of people don't read the 100 pages of fine print when you sign up for a social media account either. People inherently trust there is at least some level of safety. This is also why lawmakers (at least in the US) are now actively wanting the fine print to be even more simplified. Up until 6 months ago, I really didn't understand the full implications of the permissions either and have been at this for a VERY long time...
Well yeah that would certainly be nice from a security standpoint. My concern is more-so why does TGS have so many of these sensitive API's open, and the "highly rated" competitor ext I looked at did not? and it didn't require access to any of the more sensitive API's. I'm sure these weren't opened up unnecessarily, however, I do wonder if the need for some of the API's were really needed or they just supported a more "cosmetic" function. In retrospect it also seems like part of the problem is that all the permissions are presented to the user as if they are equal risk rather than weighing/color coding them by risk (ex. API's like fontSettings being low risk, bookmarks being medium risk, and webRequest or file: being highest risk). The other part is that it requires the user actually know what the things are (ex. for contextMenu if they showed a picture of one and said, this will allow items to be added to the context menu, or more harsh sounding wording to better demonstrate the potential risk, ex. "This extension will be able to see the complete contents (text, images, and other media) of every website you visit, will be able to inspect all your keystrokes, including passwords, will be able to see authentication tokens, and can potentially transmit them an identity thief in a foreign nation..." I'm guessing some people would think twice :) |
@minig0d I asked the original question and I do appreciate the response, aiming for a healthier tab habit is a valid (and clearly the safest overall) solution. FWIW - I had reviewed the entire thread and was still unclear what was safe / active / recommended by those who know more than the n00bs among us (ie me!). So a summary from someone more knowledgeable was helpful (for example, I was all-in on Marvellous Suspender since I had no idea it would soon stop working) and again, appreciated. Thank you (and all others helping out here). |
Can't judge as I've never used Jira... I'm guessing there is probably a way to extract and save the pertinent info and index/consolidate it for even quicker reference (if you ever got ambitious into further streamlining).. But from what it sounds like you're doing it sounds like the tab group collapse/freezing route would be a natural fit for your current workflow. Would check that route out if you haven't already. |
Sorry, process improvement is my career so I may be a bit too passionate about it lol. Marvelous suspender may continue working if the author updates it. I don't know the author and have no idea if they are intending to continue on with the development or if it was just a quick fork of this one to help people get back online quickly. If the intent is to further develop it (and therefore update it for the upcoming chrome changes), it very well may make a great alternative. Just hate for people to "go with" one solution, only to have to change again in the near future. FWIW, (and anyone wondering) I believe I read somewhere (but could be wrong) that Manifest V3 was originally going to be mandatory as of last month, but then it got pushed back to an unspecified date. And who knows, something like this may prompt a sooner than later deadline... or not... :) |
|
Well, as far as I can tell, we have no proof that ownership of this extension was actually transferred, if we have no proof that a new party exists. It seems very likely that @deanoemcke was approached to add things to the extension, at the very least. Without any evidence otherwise, it stands to reason that legal action starts at @deanoemcke |
|
@PikminRed Not correct. #1263 (comment) |
|
@minig0d Can you not derail this thread about the security with y'alls workflow nitpicking please? |
What isn't, exactly? The linked comment is barely relevant. |
|
I've got an off-topic question: |
|
@justingolden21 erm just remove the addon maybe? why keep it? |
|
Install The Marvellous Suspender. |
Try checking chrome://extensions/ to see if it's still there but disabled. If it is, click "Remove". |
|
So, I just looked a bit more into the exact details of how and why many users didn't have the extension auto-update, and the results seem to support the conspiracy theory that there was no sale. I wasn't a big fan of that idea until now, because I am an See, I had assumed that Chrome's developer system was fairly sophisticated, and allowed extension distributors to push out updates to the Web Store but not to all users, because of how I read the issue describing TGS's new update process. That isn't the case. However, there is no documented way to delay, decline, or impede updates, either for the user or the extension. To implement it's update notification system, TGS used a now-deprecated API that is intended for chrome apps (not extensions!). The API fires an event, which was picked up by the extension and held onto until the user confirms that they are ready to update. However, in June 2020 (ie, after the sale), a commit by Dean Omecke (in gsSession.js) removed that portion of the code, causing the user to be unnotified and the extension to refuse to let the update proceed. The event would be caught, the tab backup made, but (if there were any suspended tabs) the extension would just wait. A comment in his code states that the extension would update on the next browser restart. However, it looks like that isn't the case: in addition to many people reporting that the update never occurred, there is a several-year-old Chrome bug report that describes a failure to update. It looks as though the event is fired before the actual download of the update. Since this API is intended for chrome APPS (which are usually loaded after the browser when the user specifically requests to open them) So yeah. That seems to be why nobody got the 7.1.9 update, despite the chrome web store listing it as current. |
Just a side note - the current extension API docs are super broken, they marked every single page deprecated because they are deprecating "chrome apps" but not "chrome extensions" while at the same time moving from MV2 to MV3 - see the discussion on the crx mailing list asking why chrome.tabs is marked deprecated. I'm not sure if the specific API you are talking about is for-real deprecated or just badly documented, generally most of the event handlers should stick around though. |
|
It's listed as a "chrome app" API, along with the rest of the Chrome.runtime set, which also includes a whole bunch of API's for interacting with lower-level OS functions (like opening ports to native devices, restarting ChromeOS devices in Kiosk mode, ect) |
|
Right, they put the below message on every single API page in the extension developer docs.
|
That worked, thanks! When it explicitly told me it was removed, then I went to the store page to confirm, I assumed it was actually removed, but apparently it was still there, just disabled. Chrome really needs to handle that better... |
for firefox, you also have the https://add0n.com/tab-discard.html , that is a mozilla recommended add-on (ie: they did check the code and looks good) |
|
Hey all - I dunno if this is related, or even relevant anymore, but it seems to be. For several months, one out of every hunred or so URLs which I would type into the URL bar would randomly bring me to some ad-laden privacy nightmare style site - things you get by mistyping popular URLs, designed to prey on people. Thing is, since it happened, I started VERY VERY CAREFULLY examining my entries before comfirming them and visiting that site. I now believe that The Great Suspender may have been modifying my browsing attempts in some manner. I'll continue to monitor my browser's behavior, but have there been other reports of similar issues? (I tried searching the thread here but didn't notice any..) |
I had something similar on a couple of occasions – seeing some sort of "You've won!" scam page instead of the intended website (which only displayed after reloading the page) – but I'm certain this happened also before installing TGS. I think it may have more to do with hacked servers than with the browser, esp. that I also experienced this yesterday when browsing from mobile. |
In my specific case, I'm speaking specifically regarding desktop Chrome typed-URL hijacking. ESPECIALLY on mobile, misclicks/moved-item taps/adware/hijacks/whatever (especially when dealing with piracy-related items) happen due purely to the nature of mobile devices, their browsers' rendering engines, misleading links you can't verify before operating on, page load order tricks designed to move items, and a myriad other factors -- and is an entirely separate arena and topic material. To further define the behavior -- specifically at times that I KNOW I typed a domain name correctly, I'll be bounced to some random ad platform. I struggle for the word, but we all know the type of site I mean. I've verified rigorously that my DNS is clean - I run a local DNS caching server which is fed by DNS-over-TLS, and I hesitate to believe that I missed anything there. History in-browser indicates that I typed the correct URL, but the browser behaves as if it believes it was redirected by the properly-typed site itself -- however that's the deepest I was ever able to inspect. Regarding other plugins, the -only- three other plugins I used (aside from TGS) during the timeframe are uBlock Origin, Font Rendering Enhancer, and HTTPS Everywhere -- but like TGS until recently, their reputations have been clean to my knowledge. Has anyone else - using a desktop browser, with the TGS plugin and no other likely causes - had a similar experience? |
|
Yes, this is exactly the sort of behaviour that TGS could have exhibited. The code for this sort of request interception was present in the extension. It may still have been caused by something else, but it's definitely possible that it came from TGS. |
This itself is called typosquatting. This is probably what you were experiencing, though to have it happen that often is pretty peculiar. |
Is it a conspiracy theory? I see it as the only reasonable explanation. It was my first conclusion about 30 seconds after learning about all of this. Why? Because it looks exactly how I would imagine I'd do it if I were in his shoes, which I have been. Any reasonable developer with integrity who learned he accidentally sold his extension to a malicious person who took advantage of his million users would surely be pissed, get involved, and expose as much detail as legally possible. When my account was hacked and Russians published a malicious update to my extension, I was quick to notify users, was transparent about everything, wrote blog posts, Facebook posts, etc. In this case, the silence speaks volumes. Again, I have no direct evidence or proof of this. But I think the "no sale" theory should be the default until/unless proven otherwise. |
No, this was about URL hijacking, not about cybersquatting. Please don't suggest people don't know what they type/paste in the URL field, even though they wrote that there were no typos. |
I've had this exact experience re: seemingly random redirects on desktop chrome (which I hitherto assumed were just some hijacked sites or malicious ad code on said sites) although can't verify it wasn't due to other factors - I'm running uBlock origin, tabs outliner & Mybib but make no guarantees as to everything else being innocent. It happened infrequently enough that I can't tell if its stopped since dropping TGS (and thus if TGS may have been responsible). |
and others
TLDR: The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more. In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code distributed by the web store since November, and it does not appear to load the compromised script. However, the malicious maintainer remains in control, however, and can introduce an update at any time. It further appears that, while v7.1.9 was what was listed on the store, those who had the hostile v7.1.8 installed did NOT automatically receive the malware-removing update, and continued running the hostile code until Google force-disabled the extension.
The Great Suspender has been removed from the Chrome Web Store. To recover your tabs, see issue #526, or continue reading
The code in the Github repository is currently safe, and the most recent tagged release happened before the transfer of ownership. To use that version, and avoid needing to finagle URL's, enable Chrome developer mode, download and extract a copy of the code, then navigate to your extensions menu and select 'Load Unpacked Extension'.
Some others have had success simply pressing the "back" button on suspended tabs: everyone should note that the site's URL is included in the URL of the suspended page. For a pictorial guide on doing this, see this comment. Further, if you just want to reload lost tabs, you can use some form of File History on Chrome's user profile directory (while chrome is closed!), before restarting chrome and using the extension menu to unsuspend all tabs before your computer realizes the extension is banned again.
Because the malicious code loaded from a server by the extension in version 7.1.8 was heavily obfuscated, it is hard to say what may have been compromised. However, those who did manage to conduct an successful analysis of the code reported no password-stealing functionality in the copies that were archived. Indeed, it is highly unlikely that the extension would have been able to steal passwords. That being said, it is theoretically plausible: see my comment here. If you don't already, I highly recommend using a password manager like Bitwarden, to reduce the difficulty of changing your passwords, and to prevent an site that transmits and stores password information in a insecure way from causing the rest of your accounts to be compromised. Additionally, enabling two factor authentication wherever you can is a very easy and powerful way to make it virtually impossible for an attacker to get your data, even if they managed to retrieve passwords.
Full description of the issue:
@deanoemcke, the original developer, chose to step back from the extension in June 2020. As a replacement maintainer, he chose an unknown entity, who controls the single-purpose @greatsuspender Github account. Much was suspicious about this change, including mention of payment for an open-source extension, and complete lack of information on the new maintainers identity. However, as the new maintainer did nothing for several months, it was believed that there was simply a failed transfer. In October 2020, the maintainer updated chrome store package. The update raised red flags for some users, because the changelog was not modified and there was no tag created in GitHub. On investigation, it appeared that the extension was now connecting to various third-party servers, and executing code from them.
This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works. We would later discover that this was wrong: See below
The discussion continued, however, because the new update also requested additional permissions, including the ability to manipulate all web requests. That lets the extension do what it pleases, including inserting ads, blocking sites, forcible redirects.... This change was supposedly in order to enable new screenshot functionality, but that was unclear, and probably shouldn't be needed.
Furthermore, the web store extension has diverged from its Github source. A minor change in the manifest was now being shipped on the chrome web store, which was not included in Github. This is a major concern: though again, it has a possible innocent explanation. While some think it is illegal given the license on the code, this may not be a GPL violation.. Because the minified script is not part of the extension, the license does not apply to it. Because of Web Store rules, the extension itself can be unpacked and inspected in full, human-readable form, likely satisfying the copyleft restrictions.
As a final red flag, no part of the web store posting has been updated to account for this. @deanoemcke remains listed as the maintainer, and the privacy policy makes no mention of the new tracking or maintainer. It has been several months since the transfer, but almost nothing reflects that change.
@deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'.
On November 6th, @lucasdf discovered a smoking gun that the new maintainer is malicious. Although OpenWebAnalytics is legitimate software, it does not provide the files executed by the extension. Those are hosted on the unrelated site owebanalytics.com, which turns out to be immensely suspicious. That site was created at the same time as the update, and is clearly designed to appear innocent, being hosted on a public webhost, and being given a seemingly innocent homepage from the CentOS project. However, the site contains no real information other than the tracking scripts, appears to have been purchased with BitCoin, and is only found in the context of this extension. Most importantly, the minified javascript differs significantly from that distributed by the OWA project.
@thibaudcolas has done a more detailed analysis then my quick look. He quickly located additional hardcoded values related to other, confirmed malicious extensions, implying that the new maintainer is responsible for them. He also found incredibly suspicious additional information, that makes it clear that the extension was not loading a modified version of OWA, but a trojan disguised as it. OWA has a PHP based backend, but the fakes are using NodeJS. The trojan sets cookies, which OWA doesn't use. The response to certain requests is a completely different type then legitimate OWA. Furthermore, @joepie91 has attempted to deconstruct the minified JS, and believes that the code intercepts all requests, meaning it can track you perfectly, and furthermore manipulates those requests and makes additional advertising requests. That means the author was probably attempting to commit several flavors of advertising fraud, as well as possibly tracking you globally.
While there once appeared to be an innocent explanation for this, I can no longer say that it is remotely likely. Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see. The fact that disabling tracking still works is irrelevant given the fact that most of the 2 million users of this extension have no idea that that option even exists. The fact that the code may not be malware is meaningless in light of the fact that it can be changed without notice, and that it is minified (human-unreadable). The fact that a new version has since been pushed that disables this behavior isn't useful given that any future update reintroduicing the malicious code will occur without notifying the user.
Many users are worried enough about the changes that they completely uninstalled the extension, preferring alternatives instead. That extension has much fewer features, but is slightly better for performance. Others have begun building it from source, and installing it manually. If a person were to try to create a new web store release, they would need to change it significantly enough that Google wouldn't reject it as spam. To simply get a safe version for yourself, see further below. Before removing or modifying the extension on your computer, be sure to unsuspend all tabs, or you WILL lose them (though the original URL's can be extracted from the extension query's, and some are working on scripts to do just that, its easier to do just avoid all that.
Throughout the above discussions, which spanned several issues, now appear in news articles, the new maintainer has never posted on the thread, or interacted in any way with the repository. Despite an ongoing discussion about how they are plotting to destroy us all, they haven't done anything to assuage our concerns: likely in the hope that all those aware of the attack would move on eventually. They aren't dead, as they were quite quick to update the extension when Microsoft removed it for malware, and @deanoemcke reports that they. But the new maintainer might well be a literal cat on a keyboard, for the amount of interaction they have made with the community.
For those who don't want to continue using the extension, alternatives include Tabs Outliner, which lets you place tabs in an outline. Auto Tab Discard is very similar to TGS, however it always reloads the tab when it is focused. Session Buddy allows you to save tabs into "collections", that can be reviewed later, as well as providing security against crashes.
If you enjoy using the extension, and wish to continue using it as it was, download the source code from the Github repository (version 7.1.6), enable developer mode, select "Load unpacked extension", and point it at the /src directory. Bam! You are now running The Great Suspender as @deanoemcke created it. @aciidic has gone further, creating a new repository not under the control of the old maintainer, and with all tracking code removed, here. The Marvellous Suspender is another fork currently on the Chrome Web Store, for those who would prefer not to finagle with developer mode settings.
That concludes my summary. For more information, please do look further down on this thread, or at the original announcement (#1175). An analysis of the script is placed here.. Additional sources began covering this in January 2021, and a lot more picked it up after February Fourth for some bizarre reason that probably has nothing to do with the removal by Google.
Edit log
Edit 01: (2020-11-06) add details from this discussion
Edit 02: (2020-11-06) Update to reflect the newly discovered evidence for malice
Edit 03: (2020-12-06) Note technique to continue using TGS
Edit 04: (2021-01-03) Add "Urgent" to title (and WOW did people start noticing) (thanks twitter)
Edit 05: (2021-01-05) Note @thibaudcolas and his analysis.
Edit 06: (2021-01-08) Note @thibaudcolas's second analysis, clarify and copyedit throughout, and start adding dates to edits
Edit 07: (2021-01-08) Remind about the process of removing the extension, and note a bit more about maintainer
Edit 08: (2021-01-08) Last one for today, promise: Reformat edit list and other minor changes throughout,
Edit 09: (2021-02-04) Note removal from store
Edit 10: (2021-02-04) Fix bold
Edit 11: (2021-02-04) Add help for those worried about losing tabs in nice big bold letters
Edit 12: (2021-02-04) Add details about password security
Edit 13: (2021-02-04) Clarify compromise, beautify edit log
Edit 14: (2021-02-04) Obscure the fact that I made my first edits 9 months in the future (fix edit years)
Edit 15: (2021-02-05) Clarify probably breaches: regret decision to keep obsessive edit log
Edit 16: (2021-02-09) Realize that issue still contained the false implication that users were safe after November.
The text was updated successfully, but these errors were encountered: