Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URGENT: SECURITY: New maintainer is probably malicious #1263

Open
TheMageKing opened this issue Nov 3, 2020 · 493 comments
Open

URGENT: SECURITY: New maintainer is probably malicious #1263

TheMageKing opened this issue Nov 3, 2020 · 493 comments

Comments

@TheMageKing
Copy link

@TheMageKing TheMageKing commented Nov 3, 2020

TLDR: The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more. In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code distributed by the web store since November, and it does not appear to load the compromised script. However, the malicious maintainer remains in control, however, and can introduce an update at any time. It further appears that, while v7.1.9 was what was listed on the store, those who had the hostile v7.1.8 installed did NOT automatically receive the malware-removing update, and continued running the hostile code until Google force-disabled the extension.

The Great Suspender has been removed from the Chrome Web Store. To recover your tabs, see issue #526, or continue reading
The code in the Github repository is currently safe, and the most recent tagged release happened before the transfer of ownership. To use that version, and avoid needing to finagle URL's, enable Chrome developer mode, download and extract a copy of the code, then navigate to your extensions menu and select 'Load Unpacked Extension'.

Some others have had success simply pressing the "back" button on suspended tabs: everyone should note that the site's URL is included in the URL of the suspended page. For a pictorial guide on doing this, see this comment. Further, if you just want to reload lost tabs, you can use some form of File History on Chrome's user profile directory (while chrome is closed!), before restarting chrome and using the extension menu to unsuspend all tabs before your computer realizes the extension is banned again.

Because the malicious code loaded from a server by the extension in version 7.1.8 was heavily obfuscated, it is hard to say what may have been compromised. However, those who did manage to conduct an successful analysis of the code reported no password-stealing functionality in the copies that were archived. Indeed, it is highly unlikely that the extension would have been able to steal passwords. That being said, it is theoretically plausible: see my comment here. If you don't already, I highly recommend using a password manager like Bitwarden, to reduce the difficulty of changing your passwords, and to prevent an site that transmits and stores password information in a insecure way from causing the rest of your accounts to be compromised. Additionally, enabling two factor authentication wherever you can is a very easy and powerful way to make it virtually impossible for an attacker to get your data, even if they managed to retrieve passwords.

Full description of the issue:

@deanoemcke, the original developer, chose to step back from the extension in June 2020. As a replacement maintainer, he chose an unknown entity, who controls the single-purpose @greatsuspender Github account. Much was suspicious about this change, including mention of payment for an open-source extension, and complete lack of information on the new maintainers identity. However, as the new maintainer did nothing for several months, it was believed that there was simply a failed transfer. In October 2020, the maintainer updated chrome store package. The update raised red flags for some users, because the changelog was not modified and there was no tag created in GitHub. On investigation, it appeared that the extension was now connecting to various third-party servers, and executing code from them.

This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works. We would later discover that this was wrong: See below

The discussion continued, however, because the new update also requested additional permissions, including the ability to manipulate all web requests. That lets the extension do what it pleases, including inserting ads, blocking sites, forcible redirects.... This change was supposedly in order to enable new screenshot functionality, but that was unclear, and probably shouldn't be needed.

Furthermore, the web store extension has diverged from its Github source. A minor change in the manifest was now being shipped on the chrome web store, which was not included in Github. This is a major concern: though again, it has a possible innocent explanation. While some think it is illegal given the license on the code, this may not be a GPL violation.. Because the minified script is not part of the extension, the license does not apply to it. Because of Web Store rules, the extension itself can be unpacked and inspected in full, human-readable form, likely satisfying the copyleft restrictions.

As a final red flag, no part of the web store posting has been updated to account for this. @deanoemcke remains listed as the maintainer, and the privacy policy makes no mention of the new tracking or maintainer. It has been several months since the transfer, but almost nothing reflects that change.

@deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'.

On November 6th, @lucasdf discovered a smoking gun that the new maintainer is malicious. Although OpenWebAnalytics is legitimate software, it does not provide the files executed by the extension. Those are hosted on the unrelated site owebanalytics.com, which turns out to be immensely suspicious. That site was created at the same time as the update, and is clearly designed to appear innocent, being hosted on a public webhost, and being given a seemingly innocent homepage from the CentOS project. However, the site contains no real information other than the tracking scripts, appears to have been purchased with BitCoin, and is only found in the context of this extension. Most importantly, the minified javascript differs significantly from that distributed by the OWA project.

@thibaudcolas has done a more detailed analysis then my quick look. He quickly located additional hardcoded values related to other, confirmed malicious extensions, implying that the new maintainer is responsible for them. He also found incredibly suspicious additional information, that makes it clear that the extension was not loading a modified version of OWA, but a trojan disguised as it. OWA has a PHP based backend, but the fakes are using NodeJS. The trojan sets cookies, which OWA doesn't use. The response to certain requests is a completely different type then legitimate OWA. Furthermore, @joepie91 has attempted to deconstruct the minified JS, and believes that the code intercepts all requests, meaning it can track you perfectly, and furthermore manipulates those requests and makes additional advertising requests. That means the author was probably attempting to commit several flavors of advertising fraud, as well as possibly tracking you globally.

While there once appeared to be an innocent explanation for this, I can no longer say that it is remotely likely. Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see. The fact that disabling tracking still works is irrelevant given the fact that most of the 2 million users of this extension have no idea that that option even exists. The fact that the code may not be malware is meaningless in light of the fact that it can be changed without notice, and that it is minified (human-unreadable). The fact that a new version has since been pushed that disables this behavior isn't useful given that any future update reintroduicing the malicious code will occur without notifying the user.

Many users are worried enough about the changes that they completely uninstalled the extension, preferring alternatives instead. That extension has much fewer features, but is slightly better for performance. Others have begun building it from source, and installing it manually. If a person were to try to create a new web store release, they would need to change it significantly enough that Google wouldn't reject it as spam. To simply get a safe version for yourself, see further below. Before removing or modifying the extension on your computer, be sure to unsuspend all tabs, or you WILL lose them (though the original URL's can be extracted from the extension query's, and some are working on scripts to do just that, its easier to do just avoid all that.

Throughout the above discussions, which spanned several issues, now appear in news articles, the new maintainer has never posted on the thread, or interacted in any way with the repository. Despite an ongoing discussion about how they are plotting to destroy us all, they haven't done anything to assuage our concerns: likely in the hope that all those aware of the attack would move on eventually. They aren't dead, as they were quite quick to update the extension when Microsoft removed it for malware, and @deanoemcke reports that they. But the new maintainer might well be a literal cat on a keyboard, for the amount of interaction they have made with the community.

For those who don't want to continue using the extension, alternatives include Tabs Outliner, which lets you place tabs in an outline. Auto Tab Discard is very similar to TGS, however it always reloads the tab when it is focused. Session Buddy allows you to save tabs into "collections", that can be reviewed later, as well as providing security against crashes.

If you enjoy using the extension, and wish to continue using it as it was, download the source code from the Github repository (version 7.1.6), enable developer mode, select "Load unpacked extension", and point it at the /src directory. Bam! You are now running The Great Suspender as @deanoemcke created it. @aciidic has gone further, creating a new repository not under the control of the old maintainer, and with all tracking code removed, here. The Marvellous Suspender is another fork currently on the Chrome Web Store, for those who would prefer not to finagle with developer mode settings.

That concludes my summary. For more information, please do look further down on this thread, or at the original announcement (#1175). An analysis of the script is placed here.. Additional sources began covering this in January 2021, and a lot more picked it up after February Fourth for some bizarre reason that probably has nothing to do with the removal by Google.

Edit log

Edit 01: (2020-11-06) add details from this discussion
Edit 02: (2020-11-06) Update to reflect the newly discovered evidence for malice
Edit 03: (2020-12-06) Note technique to continue using TGS
Edit 04: (2021-01-03) Add "Urgent" to title (and WOW did people start noticing) (thanks twitter)
Edit 05: (2021-01-05) Note @thibaudcolas and his analysis.
Edit 06: (2021-01-08) Note @thibaudcolas's second analysis, clarify and copyedit throughout, and start adding dates to edits
Edit 07: (2021-01-08) Remind about the process of removing the extension, and note a bit more about maintainer
Edit 08: (2021-01-08) Last one for today, promise: Reformat edit list and other minor changes throughout,
Edit 09: (2021-02-04) Note removal from store
Edit 10: (2021-02-04) Fix bold
Edit 11: (2021-02-04) Add help for those worried about losing tabs in nice big bold letters
Edit 12: (2021-02-04) Add details about password security
Edit 13: (2021-02-04) Clarify compromise, beautify edit log
Edit 14: (2021-02-04) Obscure the fact that I made my first edits 9 months in the future (fix edit years)
Edit 15: (2021-02-05) Clarify probably breaches: regret decision to keep obsessive edit log
Edit 16: (2021-02-09) Realize that issue still contained the false implication that users were safe after November.

@XxX-Force
Copy link

@XxX-Force XxX-Force commented Nov 4, 2020

...
This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works.
...
@deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'.
...

Are trckingbyte.com and trckpath.com part of Open Web Analytics? Because what I am seeing in @deanoemcke's post is him saying that he can't guarantee if the changes made are legitimate analytics or if they're malware:

I'm not an expert on what is legitimate analytics gathering ... and what is deemed malware.

I apologize for possibly exacerbating the "panic", but I am just asking, and trying to put a little extra emphasis on this, because when you say:

...on closer investigation, it appeared that _the third-party servers were part of an alternative to Google Analytics...

It just strikes me as sounding a little too forgiving / innocent, though I'm sure that's not your intent.

I also want to emphasize, @deanoemcke goes on to say in that post.

Giving the publisher the benefit of doubt, I would say that they have the right to collect extra analytics so long as it is within Google's policies, and is communicated to the user. There is a privacy policy linked on the chrome webstore (which I set up a while ago): https://greatsuspender.github.io/privacy

Of course, this assumes that Google are aware of these changes, and also that the linked privacy policy is still accurate.

We know that these new "analytics" were not communicated to the user. They do violate the established privacy policy. They violate Google's policies, as the information provided all over the extension's page at the Web Store is now inaccurate (owner, contact, saying the project is open source, etc) and the privacy policy itself is no longer accurate.

and @deanoemcke had previously assured us when this sale was announced:

...the project will remain open source and the code here on GitHub will continue to reflect the code published to the chrome webstore.

Although, apparently he cannot be held responsible for the actions of the current owner of the extension. But, this is why mom said you shouldn't make promises that you can't keep.

I appreciate you making this issue @TheMageKing, and I thank you for creating a more centralized location for discussion about this topic, which will hopefully reach more users and give them the information they need in order to make decisions about what to do. I apologize, because I realize much of what I said here is simply repeating what you already provided. I just felt the need to emphasize a couple of things.

Personally, I reported this extension at the Chrome Web Store on October 29, with the following:

"The extension was sold to an unknown party. This entity has "updated" the extension to v7.18 w/o publishing changes to Github. It is calling remote scripts and using remote tracking analytics, sending user information somewhere w/o user knowledge. PLEASE SEE: #1175 (comment) AND ALSO: #1175 (comment) .. Owner refuses to communicate or respond to anyone. Can only be considered as malicious/malware at this point. We have no idea what the full changes are to the code, or the ramifications of said changes."

I also reported the user @greatsuspender and the main repository to GitHub on October 29 with the following:

"This person/entity purchased the Chrome web browser extension "The Great Suspender" :

https://chrome.google.com/webstore/detail/the-great-suspender/klbibkeccnjlkjkiokjodocebajanakg

which has over 2 million users. The project is supposed to be open source, and the master repository for it is located here:

https://github.com/greatsuspender/thegreatsuspender

The announcement and information regarding the purchase/transfer is located here:

#1175

The new owner of the extension has made changes to the code, and pushed an update to the Chrome Web Store, bringing the version up to 7.18. However, they have NOT published the code changes to GitHub, and the latest release here is 7.16:

https://github.com/greatsuspender/thegreatsuspender/releases

Obviously, after the Nano fiasco, this has brought a great deal of warranted concern to the community. Despite many attempts from many people, they refuse to respond or communicate in any way with anyone. Neither does the former/original author. It has been discovered that the extension is now calling remote scripts. Please see:

#1175 (comment)

and also:

#1175 (comment)

The extension is now injecting a tracker which violates the Privacy Policy (also linked to from the Chrome Web Store) stated here:

https://greatsuspender.github.io/privacy

This privacy policy also has not been updated to reflect that the old owner no longer owns it, who the new owner is, or what their contact information might be. It states that the extension only uses Google Analytics, which is a lie.

The project can no longer be considered as open source, since the owner refuses to make the source open and available for review. It's my belief that this person/entity is acting in bad faith, and poses a danger to the community and to every Chrome user that installs this extension. This person has had every opportunity to clarify what is going on here, but apparently has no interest in transparency or communication.. leaving any reasonable person to wonder, why did they PURCHASE this Chrome extension?

Remote code execution w/o the user's knowledge. Code changes unpublished to GitHub, yet pushed to the Chrome Web Store. New trackers injected. Violating their own privacy policy.

@TheMageKing
Copy link
Author

@TheMageKing TheMageKing commented Nov 4, 2020

Are trckingbyte.com and trckpath.com part of Open Web Analytics? Because what I am seeing in @deanoemcke's post is him saying that he can't guarantee if the changes made are legitimate analytics or if they're malware

AFAIK, Dean's intention there is to comment that he doesn't know where each user draws the line between analytics and malware. Some people might think any sort of analytics is malware: others might disagree.

As for the trckingbyte.com and trckpath.com paths, they are not involved. They were found in other extensions, but do not appear in the distributed Great Suspender. My comment on the other thread explains what they are, and how they are not related to open web analytics (Okay, they are, but related as "Hackers rewriting open-source software for malicious purposes", not "Official part of system")

I apologize for possibly exacerbating the "panic", but I am just asking, and trying to put a little extra emphasis on this, because when you say:

...on closer investigation, it appeared that _the third-party servers were part of an alternative to Google Analytics...

It just strikes me as sounding a little too forgiving / innocent, though I'm sure that's not your intent.

Actually, it was. The open web analytics system, host of owebanalytics.com, really is a google analytics alternative. The code is hosted on a github repo with 1.3k stars, and there are people elsewhere who like it. The only reason I said "appears to be" is because I am quite busy, and I didn't have time to try and conduct any sort of detailed probe beyond that the website existed and wasn't written by a poor English speaker.

I also want to emphasize, @deanoemcke goes on to say in that post.

Giving the publisher the benefit of doubt, I would say that they have the right to collect extra analytics so long as it is within Google's policies, and is communicated to the user. There is a privacy policy linked on the chrome webstore (which I set up a while ago): https://greatsuspender.github.io/privacy
Of course, this assumes that Google are aware of these changes, and also that the linked privacy policy is still accurate.

We know that these new "analytics" were not communicated to the user. They do violate the established privacy policy. They violate Google's policies, as the information provided all over the extension's page at the Web Store is now inaccurate (owner, contact, saying the project is open source, etc) and the privacy policy itself is no longer accurate.

Indeed. This is the biggest reason why I am saying that they "appear malicious": those actions are major red flags, and it is sufficiently suspicious to justify a lot more scrutiny and skepticism than simple mistakes. But there is not yet evidence that they are actually malicious: everything can still be well explained by stupidity.

I'm not saying everything is rosy; there are major problems, right now. But it doesn't appear that we should start fearing for the safety of our passwords.

and @deanoemcke had previously assured us when this sale was announced:

...the project will remain open source and the code here on GitHub will continue to reflect the code published to the chrome webstore.

Although, apparently he cannot be held responsible for the actions of the current owner of the extension. But, this is why mom said you shouldn't make promises that you can't keep.

Yeah, mom seems to be right about a lot.

I appreciate you making this issue @TheMageKing, and I thank you for creating a more centralized location for discussion about this topic, which will hopefully reach more users and give them the information they need in order to make decisions about what to do. I apologize, because I realize much of what I said here is simply repeating what you already provided. I just felt the need to emphasize a couple of things.

Fair enough. I think I will edit that top post, to reflect some of this.

Personally, I reported this extension at the Chrome Web Store on October 29, with the following:

I, too have reported this on the web store. As a general rule, Google has more powers to remediate than Github: given that the source on Github is innocent, I doubt they will do much

I'll also respond to your comment in the other thread here, to condense this discussion more.

@TheMageKing, my comment was in reply to @ossilator's comment here, not to you. Regardless:
Oh, I know. I wanted to clear up some of your confusion.

... The extension is not directly connecting to the trck.... domains. It lacks the permissions to do so, -=-=-= AFAIK =-=-=-. Those sites are definitely malicious: they are hosted via a bitcoin hosting company, and were found in malicious extensions.
>...

Honestly, it's nothing personal, but this is exactly the problem. You DO NOT KNOW.

You might not be able to tell, but I hedge what I say quite a bit. I am not a Javascript developer, though I do comprehend it perfectly well. Nor do I design manifests for chrome applications.

By my understanding, based on a reading of the documentation on the subject, Google requires that all websites which the extension can connect to be independently specified in the manifest.json. In the section that I understand to control that, many sites are listed, including google-analytics.com, stats.g.doubleclick.net (the google analytics sites), and cdn.owebanalytics.com. The trck paths are not there, nor does the word 'trck' even appear anywhere in the distributed code.

So while I don't know, I can say that I am as certain as I can be, short of a Google developer stating otherwise.

-=-=-=-=-
On a completely unrelated note, I received an email notification at 7:51 Eastern Time that @danupo had commented :

"It looks like there is a "keypressEventHandler" defined that tries to steal the password with external javascript.
In addition, the "getPassword" function and other functions are defined.

As Japanese law prohibits putting any part of the malware code on it, could someone please check this?"

But, for some reason, I cannot find that comment here. @danupo, what's up?

I got that same notification: however, I found no evidence of those functions when I checked. It was very weird. I'm not certain of how to check on the event handler, but I did verify that no "getPassword" function was defined.

@XxX-Force
Copy link

@XxX-Force XxX-Force commented Nov 4, 2020

Thanks @TheMageKing. I'm just going to stfu and stop commenting about this entire situation because I'm obviously pissed off about the whole thing and my incivility isn't deserved or beneficial to anyone. Genuinely apologize to you and anyone else I may have been rude to. Good luck to all.

@TheMageKing
Copy link
Author

@TheMageKing TheMageKing commented Nov 4, 2020

You were fine: this is a pretty scary thing going on here.

@skycafemix
Copy link

@skycafemix skycafemix commented Nov 4, 2020

I would like to share my own decision and how it worked for me. THe answer is quite well without TheGreatSuspender so far!

After hearing what has happened, I feel very uncomfortable about TheGreatSuspender even though I really enjoyed it up to now. A quick check shows domains with bitcoin in the name and there is a strong attempt to remain anonymous. There is no way I can trust it. I have used TheGreatSuspender along with Tabs Outliner which I also love.

I decided to buy a Pro license from the author, Vladyslav Volovyk who I found is in the Ukraine. Even though there have been rumors and posts on the extension site, even quite recently about the it being abandonware due to lack of responses, I have found posts by the author elsewhere and he strikes me as being an okay and honest programmer. I cannot hold it against someone if they do not want to dedicate their life to something, and I think it is not abandonware. I decided I trust him far more than TheGreatSuspender, it works offline, and I want the automatic downloads and extra functionality of the non-free version.

I bought Tabs Outliner pro version for about US$14 with a VISA card and it was instant gratification (even though a week ago someone said they could not purchase.) Chrome on a 2019 Macbook Pro. It works great and has automatic backup both local and to Google Drive. I just wanted to post here and let you know I have just converted over 1000 tabs, which means going to each window and unsuspending them, then in Tabs Outliner just click the X to close the entire window. And maybe type a note to name the window, or not. Poof! All those minimized windows from TGS are gone. I started feeling lighter. But the pages can be reopened from the Internet obviously. I think you can even save a downloaded page to it, and you can write notes in the tab bookmark tree and so on. I had seen Chrome slowing everything down (surprising on a new Mac) to the point I had started using Safari in parallel. Well, I saved over 1.5GB according to the Chrome task manager and I feel a lot safer.

I noticed that actually Tabs Outliner even saves windows that had crashed a long, long time ago. But they also were TheGreatSuspender links. So now I am going to each ghost of a crashed window, restoring it from the net or not, and clearing it all out. When done I will fully deactivate and uninstall TheGreatSuspender.

Hope my experience helps. Tabs Outliner works fine in free mode and I have never lost data with it, though somewhere I saw written that Chrome's storage is not bulletproof. At any rate I feel quite happy with my decision and I think TGS anyway was getting unwieldy at 1000 tabs. This was a good opportunity to lose some weight.

@skycafemix
Copy link

@skycafemix skycafemix commented Nov 4, 2020

p.s. as far as storage not being bulletproof I can confirm that some windows that had been suspended with The Great Suspender recently did not survive a chrome crash - TGS was unable to restore them. So frankly, I think the idea of Tabs Outliner is superior to TGS even though it doesn't have the cute anime eyes. Good luck everyone, I do hope some resolution is found and the new pruchaser just turns out to be clueless, but I doubt it. Injecting anything into my data along with the other scary stuff mentioned by others is just not acceptable when I use this computer for work. I feel better without TGS.

@dmuth
Copy link

@dmuth dmuth commented Nov 5, 2020

This is concerning, so I too have migrated away from The Great Suspender. I can recommend Tabs Outliner as a good replacement.

@maxxyme
Copy link

@maxxyme maxxyme commented Nov 5, 2020

Thanks guys!!! I think that's definitely the kind of extension I was looking for due to my heavy use of tabs and "contexts" (i.e. links open from the same page). Will try & adopt for sure!!!

@evg-zhabotinsky
Copy link

@evg-zhabotinsky evg-zhabotinsky commented Nov 6, 2020

For anyone who is concerned by the "stealth tracking" (i.e. it not being mirrored on Github for some reason), you can always install from source. It is easy: go to chrome://extensions, enable developer mode, click "Load unpacked extension" and point it to the src folder from this repo. Done!

HOWEVER, I DON'T SEE THE CURRENT ISSUE (in itself) AS A REASON TO FREAK OUT:

  1. The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:
  2. It does not even get loaded if you tick that "Automatic deactivation of any kind of tracking" checkbox in settings:
var owa_baseUrl = 'https://cdn.owebanalytics.com/';
var owa_cmds = owa_cmds || [];
function loadOpenWebAnalytics(version) {
  owa_cmds.push(['trackPageView']);
  (function () {
    var _owa = document.createElement('script');
    _owa.type = 'text/javascript';
    _owa.async = true;
    _owa.src =
      owa_baseUrl +
      'owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=klbibkeccnjlkjkiokjodocebajanakg&apikey=2cf3d852ab70d359456ce3a0aac237a3&v=' + version;
    var _owa_s = document.getElementsByTagName('script')[0];
    _owa_s.parentNode.insertBefore(_owa, _owa_s);
  })();
}

function init() {
  if (!gsStorage.getOption('trackingOptOut')) {
    loadGoogleAnalytics(
      window,
      document,
      'script',
      'https://www.google-analytics.com/analytics.js',
      'ga'
    );

    let details = chrome.runtime.getManifest();
    loadOpenWebAnalytics(details.version);
  }
  gsAnalytics = gsAnalytics();
}

This is from the actual extension installed from the chrome store, 'trackingOptOut' option is set by that checkbox, and loadOpenWebAnalytics() isn't referenced anywhere else.

Yes, this is weird that they "hid" it like that. Might have to do with the hardcoded siteId and apikey, or maybe they "just wanted to experiment with it" (on users' machines, yes, but how else do you experiment with tracking?)

Yes, they handled their PR horrendously, but that doesn't mean they are automatically malicious! (And actually, "any PR is good PR". If it spreads and then it gets proven they did nothing malicious, then more people might use the extension and more would donate to them.)

Personally, I'm going to use the "developer mode install" option, but not to avoid that tracking. Mostly because of #1259 and other autoupdate-related issues, as developer-mode extensions don't get autoupdated.

@evg-zhabotinsky
Copy link

@evg-zhabotinsky evg-zhabotinsky commented Nov 6, 2020

Okay, as was mentioned on the other issue, the CDN isn't affiliated with OpenWebAnalytics so it can, in theory, serve anything.
However, it can still be disabled with that checkbox.
And, technically, I don't think they are violating GPL: The extension literally is the src folder in case of this repo, you can't run it without having the sources, and it also functions substantially without the thirdparty JS library.

@TheMageKing TheMageKing changed the title SECURITY: New maintainer appears malicious SECURITY: New maintainer is probably malicious Nov 7, 2020
@TheMageKing
Copy link
Author

@TheMageKing TheMageKing commented Nov 7, 2020

@evg-zhabotinsky The GPL violation was a stretch, only important we needed a way to poke the maintainer. Further, the extension on the web store is not just the src folder of this repo: there is a significant difference in the manifest.json.

@BenLeggiero
Copy link

@BenLeggiero BenLeggiero commented Feb 11, 2021

To anyone who wants a legitimate reason to have hundreds of tabs open at once:

My work involves using an issue tracker (Jira). For each ticket assigned to me which is not yet out in production, I open a new window and pin that issue as a tab. In each window, I have tabs open relating to all the research I did while working on that ticket. This results in dozens of windows, each with dozens of tabs.

This isn't an ADD thing; this isn't a bad habit thing; this is an intentional choice I made which boosts my productivity greatly, and keeps me on-track over so many more things than my peers, helping me task-switch much more easily without losing any context.

I need a suspend extension to enable this, so that the browser doesn't take up so many resources as to make my workstation unusable for anything else.


Before you tell me to use OneTab for this: I do, to archive windows for old tickets in case I need their context in another ticket. Open windows are for active tickets, since I do switch between them throughout the workday.

@minig0d
Copy link

@minig0d minig0d commented Feb 11, 2021

@minig0d There are many different tab-suspending alternatives. Auto Tab Discard is an example, though it lacks the gleaming polish of TGS.

There very well may be... I just am not familiar with any to recommend such. And due to the previously discussed security concerns, and even Google's own recommendations, you should always run the minimum extensions necessary for exactly this reason. Hence the suggestion that people TRY not utilizing one again. When I first started using TGS, Chrome was eating up 3x the memory it does now, so depending on use-case it may not be necessary for some people (which makes it even more ideal).

However, relying on Chrome's built-in memory saving is not an effective solution. Chrome will not discard tabs unless memory is running very low: that means a higher memory pressure, which leads to more swapping.

Have you looked into the latest changes? It does not completely discard the tab, However it slows the heck out of almost all background tasks and (completely?) halts requestAnimationFrame on background tabs, which won't necessarily help memory, but could depending on why the page is using so much...

But additionally the #tab-groups-collapse-freezing may not be completely automatic but it will probably fit into a lot of people's workflows... There's not really great documentation on it yet but:
Official: https://bugs.chromium.org/p/chromium/issues/detail?id=1110108
A blog post that has shows tab groups: https://chromeunboxed.com/ive-fallen-in-love-with-chrome-tab-groups
(Additionally it sounds like these are available in Brave and Edge too.)

Manifest V3 changes many things, but the core functionality of TGS will remain possible (adblockers will be crippled, but that's not the point). A rewrite may be required, but the Marvelous Suspender fork has already made some pretty significant changes, and I don't see the service worker requirement as crippling.

Not sure what you're referring to completely. If the Marvelous Suspender has been rewritten to not require the extensive permissions requested, that's great and could be a viable solution for some people. I have not looked through TGS's code to see what exactly it's using these elevated permissions for, but at least two of the API's included are removed so it would take at least some amount of rewriting, for sure. It may be minor cosmetic stuff and an easy fix, don't know haven't looked into it.

At the end of the day, the current state of computer security is abysmal. It doesn't really matter what extensions you use if an attacker abuses a 0day in Chrome to get sandbox escape from a seemingly innocent site. Any and every piece of software on your computer can become malicious at any time, and a large portion of them auto-update, or update without notice. The only way to be truly secure is to leave your computer off:

I agree in general. However, keep in mind, there are MANY different use cases. And some of us are in regulated industries where a data breach is much more significant than someone looking at some n00ds. And often, the most guilty people seem to be management who seem to be given local admin or power user access and aren't clamped down nearly as much. You're definitely right, nothing is for certain, but I certainly wouldn't want to guide a user into another precarious solution, would you?

as extensions are a usually a relatively safe way of adding functionality, it is totally fair to expect people to install them. Every single person who installed TGS got a big notice about how broad it's security permissions were, and went ahead with it anyways.

True, but the vast majority of people don't read the 100 pages of fine print when you sign up for a social media account either. People inherently trust there is at least some level of safety. This is also why lawmakers (at least in the US) are now actively wanting the fine print to be even more simplified. Up until 6 months ago, I really didn't understand the full implications of the permissions either and have been at this for a VERY long time...

I hope that, in the future, Chrome can consider making more fine-grained security permissions: reducing the number of situations where content scripts are necessary, such as by creating a separate API to examine DOM state from within a background script/service worker, which blocks access to sensitive elements. But extending functionality will always be a risk, and you must be willing to accept that if you don't want to stick to a text-mode browsing experience.

Well yeah that would certainly be nice from a security standpoint. My concern is more-so why does TGS have so many of these sensitive API's open, and the "highly rated" competitor ext I looked at did not? and it didn't require access to any of the more sensitive API's. I'm sure these weren't opened up unnecessarily, however, I do wonder if the need for some of the API's were really needed or they just supported a more "cosmetic" function.

In retrospect it also seems like part of the problem is that all the permissions are presented to the user as if they are equal risk rather than weighing/color coding them by risk (ex. API's like fontSettings being low risk, bookmarks being medium risk, and webRequest or file: being highest risk). The other part is that it requires the user actually know what the things are (ex. for contextMenu if they showed a picture of one and said, this will allow items to be added to the context menu, or more harsh sounding wording to better demonstrate the potential risk, ex. "This extension will be able to see the complete contents (text, images, and other media) of every website you visit, will be able to inspect all your keystrokes, including passwords, will be able to see authentication tokens, and can potentially transmit them an identity thief in a foreign nation..." I'm guessing some people would think twice :)

@jimmhay
Copy link

@jimmhay jimmhay commented Feb 11, 2021

But thanks for the kind words... next time maybe I'll just suggest people RTFM?

@minig0d I asked the original question and I do appreciate the response, aiming for a healthier tab habit is a valid (and clearly the safest overall) solution.

FWIW - I had reviewed the entire thread and was still unclear what was safe / active / recommended by those who know more than the n00bs among us (ie me!). So a summary from someone more knowledgeable was helpful (for example, I was all-in on Marvellous Suspender since I had no idea it would soon stop working) and again, appreciated.

Thank you (and all others helping out here).

@minig0d
Copy link

@minig0d minig0d commented Feb 11, 2021

To anyone who wants a legitimate reason to have hundreds of tabs open at once:

My work involves using an issue tracker (Jira). For each ticket assigned to me which is not yet out in production, I open a new window and pin that issue as a tab. In each window, I have tabs open relating to all the research I did while working on that ticket. This results in dozens of windows, each with dozens of tabs.

This isn't an ADD thing; this isn't a bad habit thing; this is an intentional choice I made which boosts my productivity greatly, and keeps me on-track over so many more things than my peers, helping me task-switch much more easily without losing any context.

I need a suspend extension to enable this, so that the browser doesn't take up so many resources as to make my workstation unusable for anything else.

Before you tell me to use OneTab for this: I do, to archive windows for old tickets in case I need their context in another ticket. Open windows are for active tickets, since I do switch between them throughout the workday.

Can't judge as I've never used Jira... I'm guessing there is probably a way to extract and save the pertinent info and index/consolidate it for even quicker reference (if you ever got ambitious into further streamlining).. But from what it sounds like you're doing it sounds like the tab group collapse/freezing route would be a natural fit for your current workflow. Would check that route out if you haven't already.

@minig0d
Copy link

@minig0d minig0d commented Feb 11, 2021

But thanks for the kind words... next time maybe I'll just suggest people RTFM?

@minig0d I asked the original question and I do appreciate the response, aiming for a healthier tab habit is a valid (and clearly the safest overall) solution.

FWIW - I had reviewed the entire thread and was still unclear what was safe / active / recommended by those who know more than the n00bs among us (ie me!). So a summary from someone more knowledgeable was helpful (for example, I was all-in on Marvellous Suspender since I had no idea it would soon stop working) and again, appreciated.

Thank you (and all others helping out here).

Sorry, process improvement is my career so I may be a bit too passionate about it lol.

Marvelous suspender may continue working if the author updates it. I don't know the author and have no idea if they are intending to continue on with the development or if it was just a quick fork of this one to help people get back online quickly. If the intent is to further develop it (and therefore update it for the upcoming chrome changes), it very well may make a great alternative. Just hate for people to "go with" one solution, only to have to change again in the near future.

FWIW, (and anyone wondering) I believe I read somewhere (but could be wrong) that Manifest V3 was originally going to be mandatory as of last month, but then it got pushed back to an unspecified date. And who knows, something like this may prompt a sooner than later deadline... or not... :)

@PikminRed
Copy link

@PikminRed PikminRed commented Feb 11, 2021

Well, as far as I can tell, we have no proof that ownership of this extension was actually transferred, if we have no proof that a new party exists. It seems very likely that @deanoemcke was approached to add things to the extension, at the very least.
I have seen it speculated that the maintainer's github account could be compromised (i.e. sold to third party), but as this appears to be his professional account tied to his name I find that doubtful, especially given the lack of use of this repository for anything other than damage control. Which, by the way, isn't being done well at all, given that the users here are experienced enough to not buy the corporate-esque question dodging.

Without any evidence otherwise, it stands to reason that legal action starts at @deanoemcke

@Spaceghost
Copy link

@Spaceghost Spaceghost commented Feb 12, 2021

@Spaceghost
Copy link

@Spaceghost Spaceghost commented Feb 12, 2021

@minig0d Can you not derail this thread about the security with y'alls workflow nitpicking please? 😄

@PikminRed
Copy link

@PikminRed PikminRed commented Feb 12, 2021

@PikminRed Not correct. #1263 (comment)

What isn't, exactly? The linked comment is barely relevant.

@justingolden21
Copy link

@justingolden21 justingolden21 commented Feb 12, 2021

I've got an off-topic question:
Every time my computer turns on and I open Chrome, or Chrome restarts, after a few minutes, I get a popup that, once again, "The Great Suspender has been removed because it contains malware." Is there any way to stop these notifications from happening every time I open up Chrome, and does the extension actually exist on my computer despite removing it every time until I get the notification? I've gotten this notification probably ten times, and aside from being annoying, it's somewhat worrisome. Thanks in advance 😄

@makedir
Copy link

@makedir makedir commented Feb 12, 2021

@justingolden21 erm just remove the addon maybe? why keep it?

@barseghyanartur
Copy link

@barseghyanartur barseghyanartur commented Feb 13, 2021

@justingolden21:

Install The Marvellous Suspender.

@BenLeggiero
Copy link

@BenLeggiero BenLeggiero commented Feb 16, 2021

@justingolden21
Is there any way to stop these notifications from happening every time I open up Chrome

Try checking chrome://extensions/ to see if it's still there but disabled. If it is, click "Remove".
You might also want to check chrome://extensions/?id=klbibkeccnjlkjkiokjodocebajanakg specifically

@TheMageKing
Copy link
Author

@TheMageKing TheMageKing commented Feb 16, 2021

So, I just looked a bit more into the exact details of how and why many users didn't have the extension auto-update, and the results seem to support the conspiracy theory that there was no sale. I wasn't a big fan of that idea until now, because I am an
optimist who prefers to see the better side of people.

See, I had assumed that Chrome's developer system was fairly sophisticated, and allowed extension distributors to push out updates to the Web Store but not to all users, because of how I read the issue describing TGS's new update process. That isn't the case. However, there is no documented way to delay, decline, or impede updates, either for the user or the extension.

To implement it's update notification system, TGS used a now-deprecated API that is intended for chrome apps (not extensions!). The API fires an event, which was picked up by the extension and held onto until the user confirms that they are ready to update. However, in June 2020 (ie, after the sale), a commit by Dean Omecke (in gsSession.js) removed that portion of the code, causing the user to be unnotified and the extension to refuse to let the update proceed. The event would be caught, the tab backup made, but (if there were any suspended tabs) the extension would just wait.

A comment in his code states that the extension would update on the next browser restart. However, it looks like that isn't the case: in addition to many people reporting that the update never occurred, there is a several-year-old Chrome bug report that describes a failure to update. It looks as though the event is fired before the actual download of the update. Since this API is intended for chrome APPS (which are usually loaded after the browser when the user specifically requests to open them)
as opposed to EXTENSIONS (which are loaded as soon as the browser starts), I'm not sure the update COULD ever occur. Extensions are initialized as soon as the browser starts, meaning that the registration of the auto-updating-preventing event handler is done before it auto-updates.

So yeah. That seems to be why nobody got the 7.1.9 update, despite the chrome web store listing it as current.

@nfultz
Copy link

@nfultz nfultz commented Feb 16, 2021

To implement it's update notification system, TGS used a now-deprecated API that is intended for chrome apps (not extensions!). The API fires an event, which was picked up by the extension and held onto until the user confirms that they are ready to update. However, in June 2020 (ie, after the sale), a commit by Dean Omecke (in gsSession.js) removed that portion of the code, causing the user to be unnotified and the extension to refuse to let the update proceed. The event would be caught, the tab backup made, but (if there were any suspended tabs) the extension would just wait.

Just a side note - the current extension API docs are super broken, they marked every single page deprecated because they are deprecating "chrome apps" but not "chrome extensions" while at the same time moving from MV2 to MV3 - see the discussion on the crx mailing list asking why chrome.tabs is marked deprecated. I'm not sure if the specific API you are talking about is for-real deprecated or just badly documented, generally most of the event handlers should stick around though.

@TheMageKing
Copy link
Author

@TheMageKing TheMageKing commented Feb 16, 2021

It's listed as a "chrome app" API, along with the rest of the Chrome.runtime set, which also includes a whole bunch of API's for interacting with lower-level OS functions (like opening ports to native devices, restarting ChromeOS devices in Kiosk mode, ect)

@nfultz
Copy link

@nfultz nfultz commented Feb 16, 2021

Right, they put the below message on every single API page in the extension developer docs.

This API is part of the deprecated Chrome Apps platform. Learn more about migrating your app.

chrome.runtime is probably sticking around, it's how you check errors on callbacks, for example, or pass messages between different pages.

@justingolden21
Copy link

@justingolden21 justingolden21 commented Feb 16, 2021

@justingolden21
Is there any way to stop these notifications from happening every time I open up Chrome

Try checking chrome://extensions/ to see if it's still there but disabled. If it is, click "Remove".
You might also want to check chrome://extensions/?id=klbibkeccnjlkjkiokjodocebajanakg specifically

That worked, thanks! When it explicitly told me it was removed, then I went to the store page to confirm, I assumed it was actually removed, but apparently it was still there, just disabled. Chrome really needs to handle that better...

@danielmotaleite
Copy link

@danielmotaleite danielmotaleite commented Feb 17, 2021

@barseghyanartur I hope there is an initiative for firefox version of this addon like this one (gioxx#18)

Oh wow, I didn't know about the gioxx/MarvellousSuspender. Thanks!

for firefox, you also have the https://add0n.com/tab-discard.html , that is a mozilla recommended add-on (ie: they did check the code and looks good)

@codefaux
Copy link

@codefaux codefaux commented Feb 17, 2021

Hey all - I dunno if this is related, or even relevant anymore, but it seems to be. For several months, one out of every hunred or so URLs which I would type into the URL bar would randomly bring me to some ad-laden privacy nightmare style site - things you get by mistyping popular URLs, designed to prey on people. Thing is, since it happened, I started VERY VERY CAREFULLY examining my entries before comfirming them and visiting that site.

I now believe that The Great Suspender may have been modifying my browsing attempts in some manner. I'll continue to monitor my browser's behavior, but have there been other reports of similar issues? (I tried searching the thread here but didn't notice any..)

@kashmirix
Copy link

@kashmirix kashmirix commented Feb 17, 2021

For several months, one out of every hunred or so URLs which I would type into the URL bar would randomly bring me to some ad-laden privacy nightmare style site - things you get by mistyping popular URLs, designed to prey on people.

I had something similar on a couple of occasions – seeing some sort of "You've won!" scam page instead of the intended website (which only displayed after reloading the page) – but I'm certain this happened also before installing TGS. I think it may have more to do with hacked servers than with the browser, esp. that I also experienced this yesterday when browsing from mobile.

@codefaux
Copy link

@codefaux codefaux commented Feb 17, 2021

For several months, one out of every hunred or so URLs which I would type into the URL bar would randomly bring me to some ad-laden privacy nightmare style site - things you get by mistyping popular URLs, designed to prey on people.

I had something similar on a couple of occasions – seeing some sort of "You've won!" scam page instead of the intended website (which only displayed after reloading the page) – but I'm certain this happened also before installing TGS. I think it may have more to do with hacked servers than with the browser, esp. that I also experienced this yesterday when browsing from mobile.

In my specific case, I'm speaking specifically regarding desktop Chrome typed-URL hijacking. ESPECIALLY on mobile, misclicks/moved-item taps/adware/hijacks/whatever (especially when dealing with piracy-related items) happen due purely to the nature of mobile devices, their browsers' rendering engines, misleading links you can't verify before operating on, page load order tricks designed to move items, and a myriad other factors -- and is an entirely separate arena and topic material.

To further define the behavior -- specifically at times that I KNOW I typed a domain name correctly, I'll be bounced to some random ad platform. I struggle for the word, but we all know the type of site I mean. I've verified rigorously that my DNS is clean - I run a local DNS caching server which is fed by DNS-over-TLS, and I hesitate to believe that I missed anything there. History in-browser indicates that I typed the correct URL, but the browser behaves as if it believes it was redirected by the properly-typed site itself -- however that's the deepest I was ever able to inspect.

Regarding other plugins, the -only- three other plugins I used (aside from TGS) during the timeframe are uBlock Origin, Font Rendering Enhancer, and HTTPS Everywhere -- but like TGS until recently, their reputations have been clean to my knowledge.

Has anyone else - using a desktop browser, with the TGS plugin and no other likely causes - had a similar experience?

@joepie91
Copy link

@joepie91 joepie91 commented Feb 17, 2021

Yes, this is exactly the sort of behaviour that TGS could have exhibited. The code for this sort of request interception was present in the extension. It may still have been caused by something else, but it's definitely possible that it came from TGS.

@TacoTheDank
Copy link

@TacoTheDank TacoTheDank commented Feb 19, 2021

@codefaux

...would randomly bring me to some ad-laden privacy nightmare style site - things you get by mistyping popular URLs, designed to prey on people.

This itself is called typosquatting. This is probably what you were experiencing, though to have it happen that often is pretty peculiar.

@matt-kruse
Copy link

@matt-kruse matt-kruse commented Feb 19, 2021

the conspiracy theory that there was no sale

Is it a conspiracy theory? I see it as the only reasonable explanation. It was my first conclusion about 30 seconds after learning about all of this. Why? Because it looks exactly how I would imagine I'd do it if I were in his shoes, which I have been.

Any reasonable developer with integrity who learned he accidentally sold his extension to a malicious person who took advantage of his million users would surely be pissed, get involved, and expose as much detail as legally possible. When my account was hacked and Russians published a malicious update to my extension, I was quick to notify users, was transparent about everything, wrote blog posts, Facebook posts, etc.

In this case, the silence speaks volumes.

Again, I have no direct evidence or proof of this. But I think the "no sale" theory should be the default until/unless proven otherwise.

@kashmirix
Copy link

@kashmirix kashmirix commented Feb 19, 2021

@codefaux

...would randomly bring me to some ad-laden privacy nightmare style site - things you get by mistyping popular URLs, designed to prey on people.

This itself is called typosquatting. This is probably what you were experiencing, though to have it happen that often is pretty peculiar.

No, this was about URL hijacking, not about cybersquatting. Please don't suggest people don't know what they type/paste in the URL field, even though they wrote that there were no typos.

@JoshC8C7
Copy link

@JoshC8C7 JoshC8C7 commented Feb 21, 2021

For several months, one out of every hunred or so URLs which I would type into the URL bar would randomly bring me to some ad-laden privacy nightmare style site - things you get by mistyping popular URLs, designed to prey on people.

I had something similar on a couple of occasions – seeing some sort of "You've won!" scam page instead of the intended website (which only displayed after reloading the page) – but I'm certain this happened also before installing TGS. I think it may have more to do with hacked servers than with the browser, esp. that I also experienced this yesterday when browsing from mobile.

In my specific case, I'm speaking specifically regarding desktop Chrome typed-URL hijacking. ESPECIALLY on mobile, misclicks/moved-item taps/adware/hijacks/whatever (especially when dealing with piracy-related items) happen due purely to the nature of mobile devices, their browsers' rendering engines, misleading links you can't verify before operating on, page load order tricks designed to move items, and a myriad other factors -- and is an entirely separate arena and topic material.

To further define the behavior -- specifically at times that I KNOW I typed a domain name correctly, I'll be bounced to some random ad platform. I struggle for the word, but we all know the type of site I mean. I've verified rigorously that my DNS is clean - I run a local DNS caching server which is fed by DNS-over-TLS, and I hesitate to believe that I missed anything there. History in-browser indicates that I typed the correct URL, but the browser behaves as if it believes it was redirected by the properly-typed site itself -- however that's the deepest I was ever able to inspect.

Regarding other plugins, the -only- three other plugins I used (aside from TGS) during the timeframe are uBlock Origin, Font Rendering Enhancer, and HTTPS Everywhere -- but like TGS until recently, their reputations have been clean to my knowledge.

Has anyone else - using a desktop browser, with the TGS plugin and no other likely causes - had a similar experience?

I've had this exact experience re: seemingly random redirects on desktop chrome (which I hitherto assumed were just some hijacked sites or malicious ad code on said sites) although can't verify it wasn't due to other factors - I'm running uBlock origin, tabs outliner & Mybib but make no guarantees as to everything else being innocent. It happened infrequently enough that I can't tell if its stopped since dropping TGS (and thus if TGS may have been responsible).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet