URGENT: SECURITY: New maintainer is probably malicious #1263
Comments
Are trckingbyte.com and trckpath.com part of Open Web Analytics? Because what I am seeing in @deanoemcke's post is him saying that he can't guarantee if the changes made are legitimate analytics or if they're malware:
I apologize for possibly exacerbating the "panic", but I am just asking, and trying to put a little extra emphasis on this, because when you say:
It just strikes me as sounding a little too forgiving / innocent, though I'm sure that's not your intent. I also want to emphasize, @deanoemcke goes on to say in that post.
We know that these new "analytics" were not communicated to the user. They do violate the established privacy policy. They violate Google's policies, as the information provided all over the extension's page at the Web Store is now inaccurate (owner, contact, saying the project is open source, etc) and the privacy policy itself is no longer accurate. and @deanoemcke had previously assured us when this sale was announced:
Although, apparently he cannot be held responsible for the actions of the current owner of the extension. But, this is why mom said you shouldn't make promises that you can't keep. I appreciate you making this issue @TheMageKing, and I thank you for creating a more centralized location for discussion about this topic, which will hopefully reach more users and give them the information they need in order to make decisions about what to do. I apologize, because I realize much of what I said here is simply repeating what you already provided. I just felt the need to emphasize a couple of things. Personally, I reported this extension at the Chrome Web Store on October 29, with the following:
I also reported the user @greatsuspender and the main repository to GitHub on October 29 with the following:
|
AFAIK, Dean's intention there is to comment that he doesn't know where each user draws the line between analytics and malware. Some people might think any sort of analytics is malware: others might disagree. As for the trckingbyte.com and trckpath.com paths, they are not involved. They were found in other extensions, but do not appear in the distributed Great Suspender. My comment on the other thread explains what they are, and how they are not related to open web analytics (Okay, they are, but related as "Hackers rewriting open-source software for malicious purposes", not "Official part of system")
Actually, it was. The open web analytics system, host of owebanalytics.com, really is a google analytics alternative. The code is hosted on a github repo with 1.3k stars, and there are people elsewhere who like it. The only reason I said "appears to be" is because I am quite busy, and I didn't have time to try and conduct any sort of detailed probe beyond that the website existed and wasn't written by a poor English speaker.
Indeed. This is the biggest reason why I am saying that they "appear malicious": those actions are major red flags, and it is sufficiently suspicious to justify a lot more scrutiny and skepticism than simple mistakes. But there is not yet evidence that they are actually malicious: everything can still be well explained by stupidity. I'm not saying everything is rosy; there are major problems, right now. But it doesn't appear that we should start fearing for the safety of our passwords.
Yeah, mom seems to be right about a lot.
Fair enough. I think I will edit that top post, to reflect some of this.
I, too have reported this on the web store. As a general rule, Google has more powers to remediate than Github: given that the source on Github is innocent, I doubt they will do much I'll also respond to your comment in the other thread here, to condense this discussion more.
You might not be able to tell, but I hedge what I say quite a bit. I am not a Javascript developer, though I do comprehend it perfectly well. Nor do I design manifests for chrome applications. By my understanding, based on a reading of the documentation on the subject, Google requires that all websites which the extension can connect to be independently specified in the manifest.json. In the section that I understand to control that, many sites are listed, including google-analytics.com, stats.g.doubleclick.net (the google analytics sites), and cdn.owebanalytics.com. The trck paths are not there, nor does the word 'trck' even appear anywhere in the distributed code. So while I don't know, I can say that I am as certain as I can be, short of a Google developer stating otherwise.
I got that same notification: however, I found no evidence of those functions when I checked. It was very weird. I'm not certain of how to check on the event handler, but I did verify that no "getPassword" function was defined. |
|
Thanks @TheMageKing. I'm just going to stfu and stop commenting about this entire situation because I'm obviously pissed off about the whole thing and my incivility isn't deserved or beneficial to anyone. Genuinely apologize to you and anyone else I may have been rude to. Good luck to all. |
|
You were fine: this is a pretty scary thing going on here. |
|
I would like to share my own decision and how it worked for me. THe answer is quite well without TheGreatSuspender so far! After hearing what has happened, I feel very uncomfortable about TheGreatSuspender even though I really enjoyed it up to now. A quick check shows domains with bitcoin in the name and there is a strong attempt to remain anonymous. There is no way I can trust it. I have used TheGreatSuspender along with Tabs Outliner which I also love. I decided to buy a Pro license from the author, Vladyslav Volovyk who I found is in the Ukraine. Even though there have been rumors and posts on the extension site, even quite recently about the it being abandonware due to lack of responses, I have found posts by the author elsewhere and he strikes me as being an okay and honest programmer. I cannot hold it against someone if they do not want to dedicate their life to something, and I think it is not abandonware. I decided I trust him far more than TheGreatSuspender, it works offline, and I want the automatic downloads and extra functionality of the non-free version. I bought Tabs Outliner pro version for about US$14 with a VISA card and it was instant gratification (even though a week ago someone said they could not purchase.) Chrome on a 2019 Macbook Pro. It works great and has automatic backup both local and to Google Drive. I just wanted to post here and let you know I have just converted over 1000 tabs, which means going to each window and unsuspending them, then in Tabs Outliner just click the X to close the entire window. And maybe type a note to name the window, or not. Poof! All those minimized windows from TGS are gone. I started feeling lighter. But the pages can be reopened from the Internet obviously. I think you can even save a downloaded page to it, and you can write notes in the tab bookmark tree and so on. I had seen Chrome slowing everything down (surprising on a new Mac) to the point I had started using Safari in parallel. Well, I saved over 1.5GB according to the Chrome task manager and I feel a lot safer. I noticed that actually Tabs Outliner even saves windows that had crashed a long, long time ago. But they also were TheGreatSuspender links. So now I am going to each ghost of a crashed window, restoring it from the net or not, and clearing it all out. When done I will fully deactivate and uninstall TheGreatSuspender. Hope my experience helps. Tabs Outliner works fine in free mode and I have never lost data with it, though somewhere I saw written that Chrome's storage is not bulletproof. At any rate I feel quite happy with my decision and I think TGS anyway was getting unwieldy at 1000 tabs. This was a good opportunity to lose some weight. |
|
p.s. as far as storage not being bulletproof I can confirm that some windows that had been suspended with The Great Suspender recently did not survive a chrome crash - TGS was unable to restore them. So frankly, I think the idea of Tabs Outliner is superior to TGS even though it doesn't have the cute anime eyes. Good luck everyone, I do hope some resolution is found and the new pruchaser just turns out to be clueless, but I doubt it. Injecting anything into my data along with the other scary stuff mentioned by others is just not acceptable when I use this computer for work. I feel better without TGS. |
|
This is concerning, so I too have migrated away from The Great Suspender. I can recommend Tabs Outliner as a good replacement. |
|
Thanks guys!!! I think that's definitely the kind of extension I was looking for due to my heavy use of tabs and "contexts" (i.e. links open from the same page). Will try & adopt for sure!!! |
|
For anyone who is concerned by the "stealth tracking" (i.e. it not being mirrored on Github for some reason), you can always install from source. It is easy: go to HOWEVER, I DON'T SEE THE CURRENT ISSUE (in itself) AS A REASON TO FREAK OUT:
This is from the actual extension installed from the chrome store, 'trackingOptOut' option is set by that checkbox, and Yes, this is weird that they "hid" it like that. Might have to do with the hardcoded siteId and apikey, or maybe they "just wanted to experiment with it" (on users' machines, yes, but how else do you experiment with tracking?) Yes, they handled their PR horrendously, but that doesn't mean they are automatically malicious! (And actually, "any PR is good PR". If it spreads and then it gets proven they did nothing malicious, then more people might use the extension and more would donate to them.) Personally, I'm going to use the "developer mode install" option, but not to avoid that tracking. Mostly because of #1259 and other autoupdate-related issues, as developer-mode extensions don't get autoupdated. |
|
Okay, as was mentioned on the other issue, the CDN isn't affiliated with OpenWebAnalytics so it can, in theory, serve anything. |
calumapplepie
changed the title
|
@evg-zhabotinsky The GPL violation was a stretch, only important we needed a way to poke the maintainer. Further, the extension on the web store is not just the src folder of this repo: there is a significant difference in the manifest.json. |
|
Going on seven months since I wrote this summary. If this bug was a pregnancy, it'd almost be ready to come out. I know there are quite a few bugs in the digital world that are old enough to vote, but still. |
|
@drullo maybe Session Buddy will help you out. Sorry for your loss. |
|
Agree that someone should def throw marvelous suspender on the store. I could if nobody else will. |
what? |
Someone mentioned it was not on the store. I found it here though: https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa?hl=en I no longer see their comment in this discussion though. |
probably either posted sometime around January, when there was a fork on github but none published on the store. Could also be buried somewhere in my wall of text, or in one of the other issues. |
|
Yeah that makes sense. I tried the marvelous suspender and GOD that thing is killing me. I have a gaming desktop with 32gb of RAM and I was comfortably watching a video when the entire thing stuttered, the video cut out, I couldn't move or see my mouse, and the desktop even got loud. Well turns out, marvelous suspender decided to suspend like twenty tabs at the same time, and it nearly bricked my machine for almost a minute... Hopefully this is a one time thing after installing since all tabs probably expired at the same time, but man they need to fix that, make them suspend 30 seconds after the previous one or something. |
Do you have a recommendation for a good password manager? One that WON'T sell me out without me even knowing?
This completely blows my mind. For some reason I was under the impression Google kept a close eye on the items they offer in their store, yet it took nearly 8 months to remove this. |
|
It's probably because i have hundreds of tabs snoozed, but Marvelous
Suspender causes my PC to go into perpetual micro lag after a day or two.
Didn't have this problem with Great Suspender back in the day.
…On Sat, 22 May 2021, 5:20 am Justin Golden, ***@***.***> wrote:
Yeah that makes sense.
I tried the marvelous suspender and GOD that thing is killing me. I have a
gaming desktop with 32gb of RAM and I was comfortably watching a video when
the entire thing stuttered, the video cut out, I couldn't move or see my
mouse, and the desktop even got loud. Well turns out, marvelous suspender
decided to suspend like twenty tabs at the same time, and it nearly bricked
my machine for almost a minute... Hopefully this is a one time thing after
installing since all tabs probably expired at the same time, but man they
need to fix that, make them suspend 30 seconds after the previous one or
something.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1263 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF3BXFY54HXFAV5X3HJAKQLTO3FCXANCNFSM4TI37TGQ>
.
|
Go ahead, find mine. I'll pay you 1 BTC. That's a load of fearmongering tosh. Seems you either watched too much Hollywood nonsense or are careless enough and are projecting. No, private info of most of us is not "already circulating on the dark web from countless other leaks in the past", even though many leaks did happen, including banks, facebook and others. The planet is bigger than the US of A.
Absolutely worry about personal info being leaked. Take good measures to protect and prevent your personal info getting leaked. That's how people get mugged or houses getting broken into nowadays (see BlockFi leak). At the very least don't whore them out to anyone who asks.
Not odd at all. Some people don't close/restart their browser every day. Some have laptops that only sleep and apply manual updates after a few months. |
|
You can consider it fearmongering, but I think we can sensibly debate just how readily available everyone's private info is online, if one knows where to look. Obviously don't be careless with your personal info and just openly share it willy-nilly. That wasn't what I was suggesting. My point was to highlight that if your private info gets out, it's not the end of the world. But of course you should be treating your personal info like any other sensitive data and only use where appropriate. |
More baseless statements, the opposite of sensible. Like I said, go ahead and find mine or else stop this narrative as it's unhelpful at best, and it says more about you than about anyone else.
Once again you are making this unhelpful and tone deaf statement, despite having had it pointed it out to you that people have been kidnapped, mugged, or had houses broken into because of online leaks. Everyone should take personal data leaks very seriously. If you become aware of your private info getting leaked, assess the risk and take action accordingly -- don't stay idle ignoring it (like this guy keeps suggesting). This isn't the same as being spammed. |
I haven't experienced this at all with Marvellous Suspender, and I have tons of tabs too. Have you guys set the auto-suspend to something reasonable, like 2 days? Also disable suspending on low memory and screenshots
I highly recommend BitWarden. I've tried tons of the password managers out there and this is the best of them all IMO. It's open source and (almost) completely free. Solid UI, full cross-platform compatibility, optional cloud database & vault accessible anywhere, password sharing, password generator, full auto-fill and auto-update support, etc. |
So what is the measure you're suggesting one should be taking when their personal info (almost inevitably) gets leaked at some point? Move to a new home and change your name and SSN every single time a web service gets hacked? There isn't anything actionable on your part when your personal info is leaked alongside everyone else's, outside of staying vigilant for potential identity theft. |
You continue to make statements as if they are undebatable truths. They also happen to be false. If your credit card data leaks do you stay idle? If you choose to stay idle when all your private info including address, balances, transaction history, etc gets leaked then that's very much on you; stating nothing can be done and also advising others to stay idle and not worry about it is the opposite of pertinent and helpful. Pertinent people take measures (e.g. depending on the risk level - increase premises protection, hire personal protection, move out then avoid using home/office addresses but purchase virtual ones, etc etc). It's clear you are neither aware, nor getting the idea or be able to admit you were talking nonsense. It's not like this discussion is leading anywhere, so I'm out (my intervention was intended for the benefit of the others). People like you are making the job of security professionals and cypherpunks harder. Please stop. |
When did I say you should standby on leaked credit cards? Of course you shouldn't. Look back, this whole time I have been talking about personal info - that encompasses simple things like your address and name, not your finances, wow. Those would fall under the category of sensitive info, not personal info. For anyone with the capacity, time, capability, and finances for taking countermeasures against leaked info, go right ahead. Not all of us have the privilege or means for things like 'hiring personal protection'. You're misconstruing what I keep trying to say, and therefore perceive it as nonsense. There is leaked info that is very much actionable and should be taken very seriously - things like leaked credit cards, etc. Your personal info does not fall into that category. |
|
2h for me. Wouldn't 2 days sort of defeat the purpose of this?
Just switched off native Chrome memory saving. Let's see if that helps.
On Sat, 22 May 2021, 7:35 am Jeffrey Nichtberger, ***@***.***>
wrote:
… Yeah that makes sense.
I tried the marvelous suspender and GOD that thing is killing me. I have a
gaming desktop with 32gb of RAM and I was comfortably watching a video when
the entire thing stuttered, the video cut out, I couldn't move or see my
mouse, and the desktop even got loud. Well turns out, marvelous suspender
decided to suspend like twenty tabs at the same time, and it nearly bricked
my machine for almost a minute... Hopefully this is a one time thing after
installing since all tabs probably expired at the same time, but man they
need to fix that, make them suspend 30 seconds after the previous one or
something.
It's probably because i have hundreds of tabs snoozed, but Marvelous
Suspender causes my PC to go into perpetual micro lag after a day or two.
Didn't have this problem with Great Suspender back in the day.
… <#m_-7930041490622704620_>
On Sat, 22 May 2021, 5:20 am Justin Golden, *@*.***> wrote: Yeah that
makes sense. I tried the marvelous suspender and GOD that thing is killing
me. I have a gaming desktop with 32gb of RAM and I was comfortably watching
a video when the entire thing stuttered, the video cut out, I couldn't move
or see my mouse, and the desktop even got loud. Well turns out, marvelous
suspender decided to suspend like twenty tabs at the same time, and it
nearly bricked my machine for almost a minute... Hopefully this is a one
time thing after installing since all tabs probably expired at the same
time, but man they need to fix that, make them suspend 30 seconds after the
previous one or something. — You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#1263 (comment)
<#1263 (comment)>>,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AF3BXFY54HXFAV5X3HJAKQLTO3FCXANCNFSM4TI37TGQ
.
I haven't experienced this at all with Marvellous Suspender, and I have
tons of tabs too. Have you guys set the auto-suspend to something
reasonable, like 2 days? Also disable suspending on low memory and
screenshots
@timetopanic <https://github.com/timetopanic> I would recommend a
password manager instead of a schema. One or a few leaks and the pattern
can be guessed.
PS: It's unbelievable how long it took them to automatically remove the
extension. I think that for most of us here was a couple of months ago (or
more?).
Do you have a recommendation for a good password manager? One that WON'T
sell me out without me even knowing?
It shocked me, as well. It took THREE MONTHS for Google to disable it on
my browser after they had done so to everyone else, and they didn't even
send a warning to the primary account that there could be possible data
breaches. I had to research it all myself.
I highly recommend BitWarden <https://bitwarden.com/>. I've tried tons of
the password managers out there and this is the best of them all IMO. It's
open source and (almost) completely free. Solid UI, full cross-platform
compatibility, optional cloud database & vault accessible anywhere,
password sharing, password generator, full auto-fill and auto-update
support, etc.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1263 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF3BXF2NQGMF6O7HOAIHIO3TO3U5FANCNFSM4TI37TGQ>
.
|
|
My computer is on 24/7/365 and I also had the issue with Google doing the block on The Great Suspender extension sometime after 5PM May 19, 2021 and 5AM May 20, 2021 San Francisco, Califorrnia USA time so I wonder if the people who got the block earlier were all located at certain geographical locations. In any case, it seems like all the data files are already gone and even closing Chrome and starting it with the computer offline, the extension is disabled and does not become enabled to be able to show the Current and Recent sessions. Even manually loading v7.1.6 of The Great Suspender using Load Unpacked Extension did not work as it still would not show any sessions as the data needed is already gone. And while using the browsers history and searching for klbibkeccnjlkjkiokjodocebajanakg, I noticed that everyone seems to mention the ones where the link is the following type: This one, the URL is obvious as it's right after the uri= but it seems like a lot of my tabs has something that no one else mentioned like this for example where the uri= starts with data:text/html
The URL is there as url%22%3A%22https%3A%2F%2Fphotos.google.com%2F so you will have to translate the following: so it will take a lot of time to just figure out the URL itself which in the above is https://photos.google.com thankfully after googling The Great Suspender and reading all the different threads on Reddit, I found a tool called The Great Suspender Recovery Tool here: which is available on the Google Chrome Store here: This at least makes it easier because using the same links that has the problem, with The Great Suspender Recovery Tool extension, it would show up as: but it fixes things since all you do is paste the copied link from the extension to a text editor and then search for: which for the above will show: so the URL is already there between the "url":"" |
|
There are some chrome extensions for recovering your tabs. For example (untested): These search results might have more options. So you'd install one of these extensions, open your URLs from the history, and then open the extension. This should work. Basically, these extensions remove the part before If that doesn't work (you have my condolence, that will be a lot of work... The long URLs you saw are URL encoded (which means, it's encoded data that normally wouldn't be valid in a URL). You can use an online tool like urldecoder.org to decode the data. Basically, you take the part after I did that for the URL you posted above and found the following: That seems to contain the URL. Just scan the decoded data (which contains many lines of code) for that line. For some reason, the URL you posted contains the source code (HTML, JavaScript, etc.) of a web page. Good luck! |
|
Thanks for your input. As far as the tools go:
I already finished recovering all 450 tabs with The Great Suspender Recovery Tool since it did the decoding part so I just had to paste into Notepad++ with CTRL-V ad then did a search for "url":" but thanks for the link to urldecoder.org. I did manage to lose one tab which was not anywhere in Chrome's history as basically I always have that tab on the right hand side of Gmail I basically have 4 windows of tabs which contained about 100 tabs each. Window 1 was the one with the ones that I had to send to the text editor after The Great Suspender Recovery Tool already decoded the URL portion and then copy link back to a new tab on the browser. A few of the tabs did have the URL so I can just open it directly into a new tab from The Great Suspender Recovery Tool directly. Windows 2-4 all had valid URL's so I can just open it directly. So for whatever reason, I seem to be the only one who has the long encoded URLs as github's various issues from years and more recent has no mention of the long encoded URLs either. #526 Unlike people who posted months ago, there is no way to open the extension where it gets enabled for a short period of time to open the extension and save the current session, mines remains disabled even when I start Chrome offline so the only way to do it is to use either Chrome's browser history and search for klbibkeccnjlkjkiokjodocebajanakg, it is slightly easier for me because I always open all 4 windows after the computer reboots so as my computer's last boot time was on May 17, 2021, all I had to do is start from May 17 2021 and later as the last time there was anything in the history for klbibkeccnjlkjkiokjodocebajanakg was for May 16, 2021 which was before the reboot. Thanks for taking the time to reply although I think when I first saw the issue, the first 1/2 a day was more panic mode before finding working tools. Window 1 was the one that took the last 3 days while window 2-4 was all done within 2 hours. The URL posted is exactly the way it shows up in The Great Suspender Recovery Tool as seen in the screenshot below which are basically 98% of the Window 1 tabs: I am still new to Github so I am still trying to figure out how to have the code show so it doesn't get decoded by the forum. Update 1: I should say that I did find a use for the Great Desuspender and that is because I use TabsOutliner so I have somethings that area in TabsOutliner that opens up a suspended tab for The Great Suspender so it will say blocked by client an that's when the Great Desuspender will open the tabs to the actual site. |
Bitwarden seems to be a decent company (but do your own research and come to your own conclusions). I believe they are open source and have a self-hosted option as well. |
|
@timetopanic Yes, like @pattiobear said: Bitwarden. I used it and I'm happy with it. Just try it out with a few sites and see if you like it. But I can tell you, having each site with its own super random password is really good. It also works wonders on my Android phone. |
|
let's talk about some safe alternatives? |
|
@aerosol-can look through the above many options have been already discussed, this being one - https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa?hl=en. |
what? why? I thought https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa was safe |
|
@makedir you misunderstand... It is safe, he just had not read the previous comments mentioning it. |
|
TGS 7.1.6 seems to still work just fine for me |
sure it might, but you miss out on fixes and optimizations made in The Marvellous Suspender |
and others
TLDR: The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more. In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code distributed by the web store since November, and it does not appear to load the compromised script. However, the malicious maintainer remains in control, however, and can introduce an update at any time. It further appears that, while v7.1.9 was what was listed on the store, those who had the hostile v7.1.8 installed did NOT automatically receive the malware-removing update, and continued running the hostile code until Google force-disabled the extension.
The Great Suspender has been removed from the Chrome Web Store. To recover your tabs, see issue #526, or continue reading
The code in the Github repository is currently safe, and the most recent tagged release happened before the transfer of ownership. To use that version, and avoid needing to finagle URL's, enable Chrome developer mode, download and extract a copy of the code, then navigate to your extensions menu and select 'Load Unpacked Extension'.
Some others have had success simply pressing the "back" button on suspended tabs: everyone should note that the site's URL is included in the URL of the suspended page. For a pictorial guide on doing this, see this comment. Further, if you just want to reload lost tabs, you can use some form of File History on Chrome's user profile directory (while chrome is closed!), before restarting chrome and using the extension menu to unsuspend all tabs before your computer realizes the extension is banned again.
Because the malicious code loaded from a server by the extension in version 7.1.8 was heavily obfuscated, it is hard to say what may have been compromised. However, those who did manage to conduct an successful analysis of the code reported no password-stealing functionality in the copies that were archived. Indeed, it is highly unlikely that the extension would have been able to steal passwords. That being said, it is theoretically plausible: see my comment here. If you don't already, I highly recommend using a password manager like Bitwarden, to reduce the difficulty of changing your passwords, and to prevent an site that transmits and stores password information in a insecure way from causing the rest of your accounts to be compromised. Additionally, enabling two factor authentication wherever you can is a very easy and powerful way to make it virtually impossible for an attacker to get your data, even if they managed to retrieve passwords.
Full description of the issue:
@deanoemcke, the original developer, chose to step back from the extension in June 2020. As a replacement maintainer, he chose an unknown entity, who controls the single-purpose @greatsuspender Github account. Much was suspicious about this change, including mention of payment for an open-source extension, and complete lack of information on the new maintainers identity. However, as the new maintainer did nothing for several months, it was believed that there was simply a failed transfer. In October 2020, the maintainer updated chrome store package. The update raised red flags for some users, because the changelog was not modified and there was no tag created in GitHub. On investigation, it appeared that the extension was now connecting to various third-party servers, and executing code from them.
This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works. We would later discover that this was wrong: See below
The discussion continued, however, because the new update also requested additional permissions, including the ability to manipulate all web requests. That lets the extension do what it pleases, including inserting ads, blocking sites, forcible redirects.... This change was supposedly in order to enable new screenshot functionality, but that was unclear, and probably shouldn't be needed.
Furthermore, the web store extension has diverged from its Github source. A minor change in the manifest was now being shipped on the chrome web store, which was not included in Github. This is a major concern: though again, it has a possible innocent explanation. While some think it is illegal given the license on the code, this may not be a GPL violation.. Because the minified script is not part of the extension, the license does not apply to it. Because of Web Store rules, the extension itself can be unpacked and inspected in full, human-readable form, likely satisfying the copyleft restrictions.
As a final red flag, no part of the web store posting has been updated to account for this. @deanoemcke remains listed as the maintainer, and the privacy policy makes no mention of the new tracking or maintainer. It has been several months since the transfer, but almost nothing reflects that change.
@deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'.
On November 6th, @lucasdf discovered a smoking gun that the new maintainer is malicious. Although OpenWebAnalytics is legitimate software, it does not provide the files executed by the extension. Those are hosted on the unrelated site owebanalytics.com, which turns out to be immensely suspicious. That site was created at the same time as the update, and is clearly designed to appear innocent, being hosted on a public webhost, and being given a seemingly innocent homepage from the CentOS project. However, the site contains no real information other than the tracking scripts, appears to have been purchased with BitCoin, and is only found in the context of this extension. Most importantly, the minified javascript differs significantly from that distributed by the OWA project.
@thibaudcolas has done a more detailed analysis then my quick look. He quickly located additional hardcoded values related to other, confirmed malicious extensions, implying that the new maintainer is responsible for them. He also found incredibly suspicious additional information, that makes it clear that the extension was not loading a modified version of OWA, but a trojan disguised as it. OWA has a PHP based backend, but the fakes are using NodeJS. The trojan sets cookies, which OWA doesn't use. The response to certain requests is a completely different type then legitimate OWA. Furthermore, @joepie91 has attempted to deconstruct the minified JS, and believes that the code intercepts all requests, meaning it can track you perfectly, and furthermore manipulates those requests and makes additional advertising requests. That means the author was probably attempting to commit several flavors of advertising fraud, as well as possibly tracking you globally.
While there once appeared to be an innocent explanation for this, I can no longer say that it is remotely likely. Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see. The fact that disabling tracking still works is irrelevant given the fact that most of the 2 million users of this extension have no idea that that option even exists. The fact that the code may not be malware is meaningless in light of the fact that it can be changed without notice, and that it is minified (human-unreadable). The fact that a new version has since been pushed that disables this behavior isn't useful given that any future update reintroduicing the malicious code will occur without notifying the user.
Many users are worried enough about the changes that they completely uninstalled the extension, preferring alternatives instead. That extension has much fewer features, but is slightly better for performance. Others have begun building it from source, and installing it manually. If a person were to try to create a new web store release, they would need to change it significantly enough that Google wouldn't reject it as spam. To simply get a safe version for yourself, see further below. Before removing or modifying the extension on your computer, be sure to unsuspend all tabs, or you WILL lose them (though the original URL's can be extracted from the extension query's, and some are working on scripts to do just that, its easier to do just avoid all that.
Throughout the above discussions, which spanned several issues, now appear in news articles, the new maintainer has never posted on the thread, or interacted in any way with the repository. Despite an ongoing discussion about how they are plotting to destroy us all, they haven't done anything to assuage our concerns: likely in the hope that all those aware of the attack would move on eventually. They aren't dead, as they were quite quick to update the extension when Microsoft removed it for malware, and @deanoemcke reports that they. But the new maintainer might well be a literal cat on a keyboard, for the amount of interaction they have made with the community.
For those who don't want to continue using the extension, alternatives include Tabs Outliner, which lets you place tabs in an outline. Auto Tab Discard is very similar to TGS, however it always reloads the tab when it is focused. Session Buddy allows you to save tabs into "collections", that can be reviewed later, as well as providing security against crashes.
If you enjoy using the extension, and wish to continue using it as it was, download the source code from the Github repository (version 7.1.6), enable developer mode, select "Load unpacked extension", and point it at the /src directory. Bam! You are now running The Great Suspender as @deanoemcke created it. @aciidic has gone further, creating a new repository not under the control of the old maintainer, and with all tracking code removed, here. The Marvellous Suspender is another fork currently on the Chrome Web Store, for those who would prefer not to finagle with developer mode settings.
That concludes my summary. For more information, please do look further down on this thread, or at the original announcement (#1175). An analysis of the script is placed here.. Additional sources began covering this in January 2021, and a lot more picked it up after February Fourth for some bizarre reason that probably has nothing to do with the removal by Google.
Edit log
Edit 01: (2020-11-06) add details from this discussion
Edit 02: (2020-11-06) Update to reflect the newly discovered evidence for malice
Edit 03: (2020-12-06) Note technique to continue using TGS
Edit 04: (2021-01-03) Add "Urgent" to title (and WOW did people start noticing) (thanks twitter)
Edit 05: (2021-01-05) Note @thibaudcolas and his analysis.
Edit 06: (2021-01-08) Note @thibaudcolas's second analysis, clarify and copyedit throughout, and start adding dates to edits
Edit 07: (2021-01-08) Remind about the process of removing the extension, and note a bit more about maintainer
Edit 08: (2021-01-08) Last one for today, promise: Reformat edit list and other minor changes throughout,
Edit 09: (2021-02-04) Note removal from store
Edit 10: (2021-02-04) Fix bold
Edit 11: (2021-02-04) Add help for those worried about losing tabs in nice big bold letters
Edit 12: (2021-02-04) Add details about password security
Edit 13: (2021-02-04) Clarify compromise, beautify edit log
Edit 14: (2021-02-04) Obscure the fact that I made my first edits 9 months in the future (fix edit years)
Edit 15: (2021-02-05) Clarify probably breaches: regret decision to keep obsessive edit log
Edit 16: (2021-02-09) Realize that issue still contained the false implication that users were safe after November.
The text was updated successfully, but these errors were encountered: