Upcoming changes to the management of The Great Suspender

[deanoemcke]

Hi everyone. I'd like to announce some changes to the administration of The Great Suspender project.

It's been almost 8 years since the first release of The Great Suspender to the Chrome Web Store. I've seen the extension turn from a hobby project to an indispensable chrome add-on, all due to an enthusiastic community of users that promoted the extension on my behalf.

The contribution of both code, and feedback from everyone here on GitHub has been critical to the success of the project. You have helped me detect and resolve bugs, given me ideas for UX improvements and new features, and provided technical assistance when I have found myself struggling with some code. I honestly couldn't have got to this point without you.

However, as the user base for The Great Suspender has continued to grow, so have the commitments in my private life. And I've found I'm increasingly incapable of meeting the demands that this project requires. I've therefore decided to take a step back, and let others lead the development.

I have found a new dedicated owner for The Great Suspender who has the capacity to see the extension actively maintained into the future. The new GitHub administrator for this project will be @greatsuspender. They have also purchased the rights to publish the extension to the Chrome webstore and will be managing the public release process going forwards. Big thanks for taking on this project and continuing its development!

Thanks again for all of your support here on GitHub. You're the best!

[nfultz]

Thank you for all your work over the years. Will they also be managing the Great Discarder fork?

[shandrew]

Congrats! Can we know who the new owners are? I'd like to make sure it's someone we can continue to trust.

Thanks!

[deanoemcke]

The Great Discarder will remain with me. Although I don't have any capacity to continue the maintenance of that project right now. I may be able to continue merging PRs if they come in.

I do not wish to publish publicly any personal information about the new owner, but the project will remain open source and the code here on GitHub will continue to reflect the code published to the chrome webstore.

[ossilator]

when can we expect the new overlord to actually do something? it's been two weeks now and they haven't done anything visible. that's not much of an improvement over the previous state ... :}

[rgalonso]

Thanks for all the work over the years, Dean!

[ossilator]

so i guess we can now officially conclude that the transition was a failure? :( i'm not at all surprised - you can't really expect someone with no track record in a project to take over a major responsibility as a volunteer. it doesn't matter how enthusiastic they may appear at the outset. that it all happened behind closed doors probably didn't help, either. @greatsuspender, care to comment?

the question is how to move forward. finding a "worthy" successor within the community still requires prolonged investment from the old maintainer, so as things stand, even a prominent call for help on the web store would not lead to anything. i suppose a possible way forward would be declaring "bankruptcy", seeing if a viable fork emerges, and if so, transferring official ownership to its maintainer.

[lucasdf]

Would be great to hear more about this. Unfortunately, there has been cases of "mysterious buyers" taking over projects and injecting malware on them (see https://github.com/NanoAdblocker/NanoCore/issues/362). I don't have any reason to believe that the deal here might be in any way problematic like this, but the lack of information is worrisome. For now I am using a local version instead of the one provided by Google store.

ps: thank you for all your work in this project!

[Poopooracoocoo]

After what happened to Nano Adblocker and Defender and an update to The Great Suspender, my stomach is churning. I'm so scared. I don't know what I'm supposed to do. With Nano I just uninstalled them, switched to uBO and kept the filters as it leads to an archived repo. What do I do here????

[DAOWAce]

Hmm, addon updated to 7.1.8 but there's no release for it on github, still showing 7.1.6.

What's the official changelog in the newest update? (besides trying to parse commits)

An an aside, I still hate how Chrome decides to randomly update addons in the background despite being in developer mode. Why even have an 'update extensions' button if it's going to update them regardless?

[joshmanders]

@DAOWAce

Hmm, addon updated to 7.1.8 but there's no release for it on github, still showing 7.1.6.

Judging by the commits, it maybe was an oversight in publishing both on GitHub and on Google. Looks like he possibly published after overhauling the screenshot code in https://github.com/greatsuspender/thegreatsuspender/pull/1238 and then again after making it possible to disable Google Analytics in https://github.com/greatsuspender/thegreatsuspender/pull/1239

I've been inspecting the code on my browser extension version for any malicious stuff being added between those version discrepancies, I'd advise you to do the same. (Not sure in Chrome, but in Brave I can click inspect on the extension and view its code)

[LeChatNoir666]

Uninstalled The Great Suspender! Same annoying behavior like in the last update with the popup in any browser windows and again no changelog... So I say good bye to TGS and hello to "Auto Tab Discard" on all my devices. The 3rd Add-On after Nano Defender / Adblocker I uninstalled this week...

Also I fear another bad code injecting, especially like above about the releases.

Anyway... thanks to the old dev.

Oh and if someone decide to switch too: Make a Backup of your Tab else you will lose your tabs with uninstalling TGS!

[danupo]

The code has been added to gsAnalytics.js and appears to be calling javascript from outside. The called code was obfuscated and I couldn't understand it... I'm not an expert, so I don't know any more than this.

gsAnalytics.jsにコードが追加され、外部からjavascriptを呼び出しているように見えます。 呼び出されたコードは難読化されていて、私には分かりませんでした・・・ 私は専門家ではないので、これ以上のことはわかりません。

私は英語が分からないので、機械翻訳でごめんなさい。 I don't understand English, so sorry for the machine translation.

[oddhack]

What are people using as a replacement for TGS? "Tiny Suspender" is mentioned above. In the absence of a compelling explanation by the new owner of who they are and what they're doing, and an update here consistent with the Play Store, it's only prudent to consider TGS to now be malware.

[zanglang]

The code posted in @danupo's comment caught my eye and a quick Google search turned up these Reddit posts:

https://www.reddit.com/r/chrome/comments/ikn38u/malicious_chrome_webstore_extension/ https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/

Similar JS name and paths just with different domain, which wayyy too coincidental:

var owa_baseUrl = 'https://static.trckpath.com/';
_owa.src = owa_baseUrl + 'owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=imkngaibigegepnlckfcbecjoilcjbhf&apikey=cc3ba1f3cad5332422ecafd9dd2aa0ac&v=' + details.version;

var owa_baseUrl = 'https://static.trckingbyte.com/';
var owa_cmds = owa_cmds || [];
owa_cmds.push(['trackPageView']);
var _owa = document.createElement('script');
 _owa.type = 'text/javascript';
 _owa.async = true;
 _owa.src =
   owa_baseUrl +
   'owa/modules/base/js/owa.tracker-combined-latest.minified.js';

Also a more indepth analysis of the minified js: https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/fqd64jx/

Domain lookup:

Name: OWEBANALYTICS.COM Registry Domain ID: 2566559592_DOMAIN_COM-VRSN Domain Status: clientTransferProhibited Nameservers: NS1.SITE-DNS.COM NS2.SITE-DNS.COM NS3.SITE-DNS.COMDates Registry Expiration: 2021-10-17 23:49:43 UTC Created: 2020-10-17 23:49:43 UTC

Freshly registered domain so not to trigger any Google search results eh?

Conclusion: abort abort!

[joshmanders]

Great work @danupo and @zanglang. I've added the domain to my DNS denylist, because I really don't feel like switching extensions right now. :/

[TheMCNerd2017]

The code posted in @danupo's comment caught my eye and a quick Google search turned up these Reddit posts:

https://www.reddit.com/r/chrome/comments/ikn38u/malicious_chrome_webstore_extension/ https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/

Similar JS name and paths just with different domain, which wayyy too coincidental:

var owa_baseUrl = 'https://static.trckpath.com/';
_owa.src = owa_baseUrl + 'owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=imkngaibigegepnlckfcbecjoilcjbhf&apikey=cc3ba1f3cad5332422ecafd9dd2aa0ac&v=' + details.version;

var owa_baseUrl = 'https://static.trckingbyte.com/';
var owa_cmds = owa_cmds || [];
owa_cmds.push(['trackPageView']);
var _owa = document.createElement('script');
 _owa.type = 'text/javascript';
 _owa.async = true;
 _owa.src =
   owa_baseUrl +
   'owa/modules/base/js/owa.tracker-combined-latest.minified.js';

Also a more indepth analysis of the minified js: https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/fqd64jx/

Conclusion: abort abort!

I knew something was up when a new version of the extension was available, yet the GitHub was not updated. Luckily it never had a chance to update to 7.1.8 (the extension displayed the usual window when an update is available, in which I backed up my suspended tabs, deleted the staged update from the filesystem, modified the manifest file by deleting update_url, and restarted Chrome causing the extension to delete itself and become disabled) and I eventually installed 7.1.6 of the extension from the Releases page.

Good job to both @danupo and @zanglang for discovering this and making this known.

Also, should this be posted on other communities as well (like Chrome subreddit) to spread the word?

[joshmanders]

Also, should this be posted on other communities as well (like Chrome subreddit) to spread the word?

Yes. I've tweeted about it, if anyone wants to retweet go ahead, can also share anywhere else talking about it there so we can keep people in the know incase the malicious author here deletes this issue. https://twitter.com/joshmanders/status/1321283443825803264

[zanglang]

OK, it appears I may have overreacted.

owa.tracker-combined-latest.minified.js is a release artifact from the Open Web Analytics project, which proclaims to be a GA alternative. Example code: https://github.com/Open-Web-Analytics/Open-Web-Analytics/wiki/Tracker

If we DNS lookup the 2 other linked domains, they both have the same DNS SOA record, but it's not the same for owebanalytics.com. Unfortunately it's not possible to gleam any further info for this domain.

$ dig trckingbyte.com SOA +short
a8332f3a.bitcoin-dns.hosting. stela.staniyova.web.de. 2019111501 7200 7200 172800 38400
$ dig trckpath.com SOA +short
a8332f3a.bitcoin-dns.hosting. stela.staniyova.web.de. 2019111501 7200 7200 172800 38400
$ dig owebanalytics.com SOA +short
ns1.openprovider.nl. dns.openprovider.eu. 2020101801 10800 3600 604800 3600

Without actually seeing the actual tracked events that the JS is sending back it's may not be reasonable to conclude that it is malicious (and my JS-fu is not powerful enough). Almost all of our Android/iPhone apps are embedded with similar trackers to help devs track user interaction within the app, so it's up to the maintainer to step up and clarify why it's suddenly injecting a tracker.

As for the coincidence that all 3 sites host the same JS with the same directory paths... it turns out that's just how owa is packaged.

$ tar tvf owa_1.7.0_packaged.tar| less
...
-rw-r--r-- padams/admin  72183 2020-09-16 11:50 ./modules/base/js/owa.tracker-combined-min.js

[joshmanders]

Pretty suspicious to have published this version without pushing to github. It wreaks to high hell of plans to be very malicious.

[calumapplepie]

They didn't tag anything, but the tracking-opt-out branch seems to be pretty clear. The new dev added tracking, and with it an opt-out.

Let me repeat. There is an opt-out button for the tracking

Now, whether it works is another thing, but I am skeptical that they'd add such a button if they were malicious.

[Poopooracoocoo]

It's a relief that the new dev lets you opt out of the tracking they added. Relief being relative of course; still shit scared lol. They say that it's not just Google Analytics. You guys found out that there's Open Web Analytics. For now I'm continuing to use The Great Suspender. If there's a decent fork or alternative, please let us know!

[Luckz]

If you are happy discarding tabs and don't need the whole placeholder infrastructure, there's https://chrome.google.com/webstore/detail/auto-tab-discard/jhnleheckmknfcgijgkadoemagpecfol/ (and equivalents for other browsers) - it has some amazing shortcuts under chrome://extensions/shortcuts too. Site: https://add0n.com/tab-discard.html Source: https://github.com/rNeomy/auto-tab-discard

[kalpaj12]

The big question: Is it still safe to continue using TGS?

[seadoggie01]

I'd like to point out the amount of code that has changed since this announcement is not significant. The code that has changed has been very minor or was already a part of this GitHub in another branch. I don't worry that this extension has become unsafe, at least yet. My biggest fear is that there won't be any real future updates and the project will die. That's why I've started learning JavaScript

[lucasdf]

The big question: Is it still safe to continue using TGS?

I would say no, because:

1. We don't know if the loaded script is malicious or not. Even if the external script is just a valid owa analytics, ~it is not respecting the opt-out flag~ (actually, it is respecting the flag), and since it is an external script loaded from an unknown domain it might change at any time.
2. the fact that a new version was published in the store without being published in Github is a giant red flag that can't be ignored.

[joshmanders]

The silence from the new owner is not good either.

It just wreaks of bad vibes.

[XxX-Force]

Could anyone please tell me, is removing the extension enough to reverse whatever may have been compromised on my machine / browser? Is there any potential that this extension could have used some exploit to drop code elsewhere on my computer, or otherwise cause any problems even if it is removed? Very grateful for any insight! Thank you.

[nfultz]

@XxX-Force

Is there any potential that this extension could have used some exploit to drop code elsewhere on my computer, or otherwise cause any problems even if it is removed?

I guess it's possible, but we haven't seen any evidence of that happening.

[calumapplepie]

I

Could anyone please tell me, is removing the extension enough to reverse whatever may have been compromised on my machine / browser? Is there any potential that this extension could have used some exploit to drop code elsewhere on my computer, or otherwise cause any problems even if it is removed?

No. It is possible that the developer is malicious, but it just appears (to me) that they are a poor communicator. The code in github does appear to match, though there isn't a new tag.

Further, the change appears to simply be adding another analytics software: and while it's possible that the hosting URL will start serving malicious code, there is an opt-out from it.

However, chrome fully sandboxes everything, especially it's extensions. Once uninstalled, any damage should be removed. It is possible that a bug exists in that sandboxing, however, finding it would require a major effort (ie, a state actor), and such an actor wouldn't try to deploy their attack so badly.

@greatsuspender, please just reply to this thread and let us know you exist. This change is probably positive, and innocent, but we don't know until you speak to us.

In the meantime, I'll join the people who are trying to crack this thing open, and see if I can spot any issues.

[nfultz]

However, chrome fully sandboxes everything, especially it's extensions. Once uninstalled, any damage should be removed. It is possible that a bug exists in that sandboxing, however, finding it would require a major effort (ie, a state actor), and such an actor wouldn't try to deploy their attack so badly.

True, but this extension does run with pretty broad permissions:

https://github.com/greatsuspender/thegreatsuspender/blob/108c2370b030ea47296adc86bec8456cc5151e0e/src/manifest.json#L6-L20

Those are probably enough to MITM a website, for example. The bigger risk here is they target your AWS account, not that they break in to your laptop.

I would be more comfortable if it were made more clear how those permissions are used and what they are required for.

[lucasdf]

No. It is possible that the developer is malicious, but it just appears (to me) that they are a poor communicator. The code in github does appear to match, though there isn't a new tag.

the code doesn't match the code on master (compare https://github.com/greatsuspender/thegreatsuspender/blob/master/src/js/gsAnalytics.js with the changes posted before), and there isn't any other branch with these changes.

[zanglang]

However, chrome fully sandboxes everything, especially it's extensions. Once uninstalled, any damage should be removed. It is possible that a bug exists in that sandboxing, however, finding it would require a major effort (ie, a state actor), and such an actor wouldn't try to deploy their attack so badly.

Unless the injected js proceeds to then join a botnet, collect all of your sessions and then use your cookies in impersonation attacks, outside of that sandbox...

I was one of those suckers who missed the news about Nano Defender and neglected to uninstall it asap, and as you can see, am pretty bitter about all this.

[calumapplepie]

I cracked open the extension. The source in github does appear to correspond with the installed extension(as far as I can tell: there are a lot of files built by the github source that don't appear in the copy I found, and the manifest.json differs slightly, but I think that's just an artifact of the different distribution systems).

The changes between the shipped 7.1.6 and 7.1.8 are very minimal. They appear to be some screenshot improvements, and the new tracker. OpenWebAnalyitics seems to be legitimate.

The only real possible issue that I see is that, as @nfultz noted, the extension now requests permission to edit web requests. This is a major concern to me, since it means that if some future version begins preforming MITM attacks, the extension won't need to request addition powers. However, I can find no evidence that it is doing those attacks now, unless OWA is illegitimate.

To be clear: yes, the extension has been modified in a way that is suspicious, by asking for a new, sweeping permission set without using it. However, while it is suspicious, there is no evidence that it is malicious (yet)

@lucasdf I ran a build and diffed them. The only differences between the one I built and the chrome extension that Google shares is that mine included a bunch of additional resources not found in the distributed .crx. Thats pretty fine by me: probably just build junk, or some such. The only thing that the web store version had that I didnt was a _metadata file (almost certainly auto-generated by google), a auto-update line (again, google insert), and the permission for scripts downloaded from OWA's official CDN to run.

EDIT: Cleaned out sentence I wrote before I got the copy from the chrome web store

[calumapplepie]

@zanglang I understand: seems perfectly fair. But the new, remote JS appears legitimate. While the extension is now offically suspicious, the source does still seem to correspond with the distributed version.

Basically, this all hinges on whether or not openwebanalytics is a legitimate site. Given that it has existed since 2009, I am inclined to believe that it is.

[ScottRFrost]

@kalpaj12 The big question: Is it still safe to continue using TGS?

It seems that the extension wants permission to edit requests (which it shouldn't need for the purposes we all use the extension for), it added tracking defaulted to opt-in, and it appears the published store versions aren't matching the git versions. IN MY OPINION, any one of these would means NO, IT IS NOT STILL SAFE TO USE. Everyone is, of course, entitled to their own opinion.

I'm removing this extension RIGHT NOW on Firefox and Edge and evaluating alternatives / forks before the new mystery buyer came in.

[XxX-Force]

Thank you all seriously for everyone's information and insight. I'm not a dev, and I'm not even clear on how to correctly use GitHub yet (sorry) .. so this next question might seem stupid.

I see that it looks like TGS was updated in some way around noon ET today. I have no idea what changes were made, if these changes were taken into account by the kind people above who tried to evaluate this situation, or honestly.. if what I'm seeing in this image even reflects that there was an actual change to the code.

As others have said here and elsewhere on the net, the whole Nano disaster has left a lot of people concerned, and more paranoid than usual.

I've already removed the extension. I feel really uncomfortable with what I'm reading about it adding new permissions that it just doesn't need in order to do what we all were using it for, and I don't trust the setting that supposedly "blocks all trackers" in the extension either.

---

EDIT: Inserting the image directly for visibility. Can anyone disabuse me of my ignorance please and tell me what I'm looking at? Was there a change made to the extension on the date/time indicated? Thank you all, again.

---

[infokiller]

@deanoemcke thanks for all your work over the years, many people including me love this extension!

Something that really caught my eye in your original post is the following quote:

They have also purchased the rights to publish the extension to the Chrome webstore and will be managing the public release process going forwards

Do you mean that they paid money for the right to publish the extension? If this is the case, it's very suspicious. This smells like the Nano Defender debacle.

As a maintainer of an open source browser extension, I frequently get purchase offers, even though my extension has far less users than TGS (200x less!). However, I always decline them on the spot because I'm pretty sure these companies want to use the extension to do user hostile things (and even if not, I have no way to ensure they won't do it). Even if you ignore any moral considerations, my reputation is much more important to me than the money they offer.

You did right by giving an heads up about the ownership transfer. However, do note that the vast majority of users will never see this, which leaves them fully exposed.

[oddhack]

After this much feedback with no comment from the new owner, this seems like obvious malware. I went into the Chrome Store and tagged it for review, and suggest others do the same. Unfortunate.

[calumapplepie]

@deanoemcke, you okay, mate? If you're currently the captive of a lizardman paramilitary group seeking to undermine the 2 million chrome users of your extension, blink twice.

Serriously, though, is every thing all right? I just saw that your personal email was listed, and so I assume a lot of people have been emailing you. But you aren't listed anywhere on the web, for anything recent. Springload.co.nz recently dropped you from their staff listing (ie, the past month), and... that's it for things with your name updated in the past month.

[snhv]

@deanoemcke, you okay, mate? If you're currently the captive of a lizardman paramilitary group seeking to undermine the 2 million chrome users of your extension, blink twice.

Serriously, though, is every thing all right? I just saw that your personal email was listed, and so I assume a lot of people have been emailing you. But you aren't listed anywhere on the web, for anything recent. Springload.co.nz recently dropped you from their staff listing (ie, the past month), and... that's it for things with your name updated in the past month.

I guess we shouldn't expect to hear any further from him/her. Non-communication past the announcement is probably dictated in the sale. It's a shame. But I'm moving on...

[liamjohnston]

@TheMageKing I can confirm Dean is okay :) He is aware of this shitstorm (which IMO seems like a bit of an overreaction so far - nothing obviously malicious has taken place). And you would be correct that he is being contacted a LOT about it.

I don't want to speak too much on his behalf (he may or may not be posting a reply here at some stage) but I remind folks that he sold the extension primarily because he didn't want to (/couldn't) carry the burden, as outlined in the original post, and he was perfectly entitled to do so. I don't know what @greatsuspender's deal is, but as for @deanoemcke please be assured there's nothing sinister behind his silence this far.

[deanoemcke]

Hi everyone.

After doing a diff between the new webstore code of TGS and the latest commit in this repo I can confirm that there is a change in the gsAnalytics.js which is present in the webstore version, but not committed to the GitHub repo. I can also confirm that this new code will be ignored if the analytics opt-out option is checked. All other code appears to be the same.

It's unfortunate that the new maintainers have not kept the two codebases in sync as it erodes trust in the project.

I'm not an expert on what is legitimate analytics gathering (like I have been doing with the extension for years), and what is deemed malware. Are people here concerned that there is possible malicious code being run on their computers? I very much doubt this is the situation - it would certainly result in the extension being pulled from the webstore. Or is it more a concern that the new analytics will be invasive to privacy?

Giving the publisher the benefit of doubt, I would say that they have the right to collect extra analytics so long as it is within Google's policies, and is communicated to the user. There is a privacy policy linked on the chrome webstore (which I set up a while ago): https://greatsuspender.github.io/privacy

Of course, this assumes that Google are aware of these changes, and also that the linked privacy policy is still accurate. Google does have a fairly rigorous review process when trying to publish updates to an extension, so I assume this has been vetted by their review team.

Ideally we would have word from @greatsuspender to clarify exactly what the new Open Web Analytics is gathering.

[XxX-Force]

Regardless of anything else, what's happening right now is in violation of the Privacy Policy of the extension that is linked to from the Chrome Web Store.

[donangel]

When I read the above, I started to wonder: would it be possible to fork the extension, and have it community-owned, somehow? I'm sure the original developer of TGS (thank you, pal, for all the great work!) maybe tried this, but for some reason, it might not be possible?

[ossilator]

hey @deanoemcke, thanks for speaking up. but given how things are turning out, i think you really should give us some more ... it's not necessary to reveal actual identities of @greatsuspender (even though it would certainly help), but it's crucial to understand what your basis of trust is. how do you know these people? what assurances do you have, what agreements have been made (and how enforceable are they)? why didn't you seek succession from within the community you acknowledged?

[XxX-Force]

Question. If I disable access to:

trckingbyte.com

trckpath.com

owebanalytics.com

Can I go back to using this extension again without any concerns? Thanks for everyone helping.

[liamjohnston]

@XxX-Force assuming you're using the web store version, and you don't trust the new owner, then no. Because they can push a new web store version with different tracking details or whatever at any time (and afaik there's no way to disable automatic updates).

[XxX-Force]

Thank you @liamjohnston .. and I apologize to all for spamming up the thread here. How can I get the non-web store version of 7.16 off of GitHub and installed into my Chrome browser, being a layman that doesn't know how to build or compile etc? I know I'm asking for a lot.

[liamjohnston]

Thank you @liamjohnston .. and I apologize to all for spamming up the thread here. How can I get the non-web store version of 7.16 off of GitHub and installed into my Chrome browser, being a layman that doesn't know how to build or compile etc? I know I'm asking for a lot.

Download from here https://github.com/greatsuspender/thegreatsuspender/releases

Follow the instructions to install from source from the homepage/readme of this repo. Make sure you select the arc directory. Also make sure to unsuspend any suspended tabs before disabling any version of TGS.

[ghost]

Thank you @liamjohnston .. and I apologize to all for spamming up the thread here. How can I get the non-web store version of 7.16 off of GitHub and installed into my Chrome browser, being a layman that doesn't know how to build or compile etc? I know I'm asking for a lot.

Don't worry. I'm sure there are a lot of people (Myself included,) lurking and benefitting from the information you're asking for.