URGENT: SECURITY: New maintainer is probably malicious

[calumapplepie]

TLDR: The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more. In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code distributed by the web store since November, and it does not appear to load the compromised script. However, the malicious maintainer remains in control, however, and can introduce an update at any time. It further appears that, while v7.1.9 was what was listed on the store, those who had the hostile v7.1.8 installed did NOT automatically receive the malware-removing update, and continued running the hostile code until Google force-disabled the extension.

The Great Suspender has been removed from the Chrome Web Store. To recover your tabs, see issue #526, or continue reading The code in the Github repository is currently safe, and the most recent tagged release happened before the transfer of ownership. To use that version, and avoid needing to finagle URL's, enable Chrome developer mode, download and extract a copy of the code, then navigate to your extensions menu and select 'Load Unpacked Extension'.

Some others have had success simply pressing the "back" button on suspended tabs: everyone should note that the site's URL is included in the URL of the suspended page. For a pictorial guide on doing this, see this comment. Further, if you just want to reload lost tabs, you can use some form of File History on Chrome's user profile directory (while chrome is closed!), before restarting chrome and using the extension menu to unsuspend all tabs before your computer realizes the extension is banned again.

Because the malicious code loaded from a server by the extension in version 7.1.8 was heavily obfuscated, it is hard to say what may have been compromised. However, those who did manage to conduct an successful analysis of the code reported no password-stealing functionality in the copies that were archived. Indeed, it is highly unlikely that the extension would have been able to steal passwords. That being said, it is theoretically plausible: see my comment here. If you don't already, I highly recommend using a password manager like Bitwarden, to reduce the difficulty of changing your passwords, and to prevent an site that transmits and stores password information in a insecure way from causing the rest of your accounts to be compromised. Additionally, enabling two factor authentication wherever you can is a very easy and powerful way to make it virtually impossible for an attacker to get your data, even if they managed to retrieve passwords.

Full description of the issue:

@deanoemcke, the original developer, chose to step back from the extension in June 2020. As a replacement maintainer, he chose an unknown entity, who controls the single-purpose @greatsuspender Github account. Much was suspicious about this change, including mention of payment for an open-source extension, and complete lack of information on the new maintainers identity. However, as the new maintainer did nothing for several months, it was believed that there was simply a failed transfer. In October 2020, the maintainer updated chrome store package. The update raised red flags for some users, because the changelog was not modified and there was no tag created in GitHub. On investigation, it appeared that the extension was now connecting to various third-party servers, and executing code from them.

This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works. We would later discover that this was wrong: See below

The discussion continued, however, because the new update also requested additional permissions, including the ability to manipulate all web requests. That lets the extension do what it pleases, including inserting ads, blocking sites, forcible redirects.... This change was supposedly in order to enable new screenshot functionality, but that was unclear, and probably shouldn't be needed.

Furthermore, the web store extension has diverged from its Github source. A minor change in the manifest was now being shipped on the chrome web store, which was not included in Github. This is a major concern: though again, it has a possible innocent explanation. While some think it is illegal given the license on the code, this may not be a GPL violation.. Because the minified script is not part of the extension, the license does not apply to it. Because of Web Store rules, the extension itself can be unpacked and inspected in full, human-readable form, likely satisfying the copyleft restrictions.

As a final red flag, no part of the web store posting has been updated to account for this. @deanoemcke remains listed as the maintainer, and the privacy policy makes no mention of the new tracking or maintainer. It has been several months since the transfer, but almost nothing reflects that change.

@deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'.

On November 6th, @lucasdf discovered a smoking gun that the new maintainer is malicious. Although OpenWebAnalytics is legitimate software, it does not provide the files executed by the extension. Those are hosted on the unrelated site owebanalytics.com, which turns out to be immensely suspicious. That site was created at the same time as the update, and is clearly designed to appear innocent, being hosted on a public webhost, and being given a seemingly innocent homepage from the CentOS project. However, the site contains no real information other than the tracking scripts, appears to have been purchased with BitCoin, and is only found in the context of this extension. Most importantly, the minified javascript differs significantly from that distributed by the OWA project.

@thibaudcolas has done a more detailed analysis then my quick look. He quickly located additional hardcoded values related to other, confirmed malicious extensions, implying that the new maintainer is responsible for them. He also found incredibly suspicious additional information, that makes it clear that the extension was not loading a modified version of OWA, but a trojan disguised as it. OWA has a PHP based backend, but the fakes are using NodeJS. The trojan sets cookies, which OWA doesn't use. The response to certain requests is a completely different type then legitimate OWA. Furthermore, @joepie91 has attempted to deconstruct the minified JS, and believes that the code intercepts all requests, meaning it can track you perfectly, and furthermore manipulates those requests and makes additional advertising requests. That means the author was probably attempting to commit several flavors of advertising fraud, as well as possibly tracking you globally.

While there once appeared to be an innocent explanation for this, I can no longer say that it is remotely likely. Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see. The fact that disabling tracking still works is irrelevant given the fact that most of the 2 million users of this extension have no idea that that option even exists. The fact that the code may not be malware is meaningless in light of the fact that it can be changed without notice, and that it is minified (human-unreadable). The fact that a new version has since been pushed that disables this behavior isn't useful given that any future update reintroduicing the malicious code will occur without notifying the user.

Many users are worried enough about the changes that they completely uninstalled the extension, preferring alternatives instead. That extension has much fewer features, but is slightly better for performance. Others have begun building it from source, and installing it manually. If a person were to try to create a new web store release, they would need to change it significantly enough that Google wouldn't reject it as spam. To simply get a safe version for yourself, see further below. Before removing or modifying the extension on your computer, be sure to unsuspend all tabs, or you WILL lose them (though the original URL's can be extracted from the extension query's, and some are working on scripts to do just that, its easier to do just avoid all that.

Throughout the above discussions, which spanned several issues, now appear in news articles, the new maintainer has never posted on the thread, or interacted in any way with the repository. Despite an ongoing discussion about how they are plotting to destroy us all, they haven't done anything to assuage our concerns: likely in the hope that all those aware of the attack would move on eventually. They aren't dead, as they were quite quick to update the extension when Microsoft removed it for malware, and @deanoemcke reports that they. But the new maintainer might well be a literal cat on a keyboard, for the amount of interaction they have made with the community.

For those who don't want to continue using the extension, alternatives include Tabs Outliner, which lets you place tabs in an outline. Auto Tab Discard is very similar to TGS, however it always reloads the tab when it is focused. Session Buddy allows you to save tabs into "collections", that can be reviewed later, as well as providing security against crashes.

If you enjoy using the extension, and wish to continue using it as it was, download the source code from the Github repository (version 7.1.6), enable developer mode, select "Load unpacked extension", and point it at the /src directory. Bam! You are now running The Great Suspender as @deanoemcke created it. @aciidic has gone further, creating a new repository not under the control of the old maintainer, and with all tracking code removed, here. The Marvellous Suspender is another fork currently on the Chrome Web Store, for those who would prefer not to finagle with developer mode settings.

That concludes my summary. For more information, please do look further down on this thread, or at the original announcement (#1175). An analysis of the script is placed here.. Additional sources began covering this in January 2021, and a lot more picked it up after February Fourth for some bizarre reason that probably has nothing to do with the removal by Google.

Edit log

Edit 01: (2020-11-06) add details from this discussion Edit 02: (2020-11-06) Update to reflect the newly discovered evidence for malice Edit 03: (2020-12-06) Note technique to continue using TGS Edit 04: (2021-01-03) Add "Urgent" to title (and WOW did people start noticing) (thanks twitter) Edit 05: (2021-01-05) Note @thibaudcolas and his analysis. Edit 06: (2021-01-08) Note @thibaudcolas's second analysis, clarify and copyedit throughout, and start adding dates to edits Edit 07: (2021-01-08) Remind about the process of removing the extension, and note a bit more about maintainer Edit 08: (2021-01-08) Last one for today, promise: Reformat edit list and other minor changes throughout, Edit 09: (2021-02-04) Note removal from store Edit 10: (2021-02-04) Fix bold Edit 11: (2021-02-04) Add help for those worried about losing tabs in nice big bold letters Edit 12: (2021-02-04) Add details about password security Edit 13: (2021-02-04) Clarify compromise, beautify edit log Edit 14: (2021-02-04) Obscure the fact that I made my first edits 9 months in the future (fix edit years) Edit 15: (2021-02-05) Clarify probably breaches: regret decision to keep obsessive edit log Edit 16: (2021-02-09) Realize that issue still contained the false implication that users were safe after November.

[XxX-Force]

... This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works. ... @deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'. ...

Are trckingbyte.com and trckpath.com part of Open Web Analytics? Because what I am seeing in @deanoemcke's post is him saying that he can't guarantee if the changes made are legitimate analytics or if they're malware:

I'm not an expert on what is legitimate analytics gathering ... and what is deemed malware.

I apologize for possibly exacerbating the "panic", but I am just asking, and trying to put a little extra emphasis on this, because when you say:

...on closer investigation, it appeared that _the third-party servers were part of an alternative to Google Analytics...

It just strikes me as sounding a little too forgiving / innocent, though I'm sure that's not your intent.

I also want to emphasize, @deanoemcke goes on to say in that post.

Giving the publisher the benefit of doubt, I would say that they have the right to collect extra analytics so long as it is within Google's policies, and is communicated to the user. There is a privacy policy linked on the chrome webstore (which I set up a while ago): https://greatsuspender.github.io/privacy

Of course, this assumes that Google are aware of these changes, and also that the linked privacy policy is still accurate.

We know that these new "analytics" were not communicated to the user. They do violate the established privacy policy. They violate Google's policies, as the information provided all over the extension's page at the Web Store is now inaccurate (owner, contact, saying the project is open source, etc) and the privacy policy itself is no longer accurate.

and @deanoemcke had previously assured us when this sale was announced:

...the project will remain open source and the code here on GitHub will continue to reflect the code published to the chrome webstore.

Although, apparently he cannot be held responsible for the actions of the current owner of the extension. But, this is why mom said you shouldn't make promises that you can't keep.

I appreciate you making this issue @TheMageKing, and I thank you for creating a more centralized location for discussion about this topic, which will hopefully reach more users and give them the information they need in order to make decisions about what to do. I apologize, because I realize much of what I said here is simply repeating what you already provided. I just felt the need to emphasize a couple of things.

Personally, I reported this extension at the Chrome Web Store on October 29, with the following:

"The extension was sold to an unknown party. This entity has "updated" the extension to v7.18 w/o publishing changes to Github. It is calling remote scripts and using remote tracking analytics, sending user information somewhere w/o user knowledge. PLEASE SEE: https://github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-717656189 AND ALSO: https://github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-717656189 .. Owner refuses to communicate or respond to anyone. Can only be considered as malicious/malware at this point. We have no idea what the full changes are to the code, or the ramifications of said changes."

I also reported the user @greatsuspender and the main repository to GitHub on October 29 with the following:

"This person/entity purchased the Chrome web browser extension "The Great Suspender" :

https://chrome.google.com/webstore/detail/the-great-suspender/klbibkeccnjlkjkiokjodocebajanakg

which has over 2 million users. The project is supposed to be open source, and the master repository for it is located here:

https://github.com/greatsuspender/thegreatsuspender

The announcement and information regarding the purchase/transfer is located here:

https://github.com/greatsuspender/thegreatsuspender/issues/1175

The new owner of the extension has made changes to the code, and pushed an update to the Chrome Web Store, bringing the version up to 7.18. However, they have NOT published the code changes to GitHub, and the latest release here is 7.16:

https://github.com/greatsuspender/thegreatsuspender/releases

Obviously, after the Nano fiasco, this has brought a great deal of warranted concern to the community. Despite many attempts from many people, they refuse to respond or communicate in any way with anyone. Neither does the former/original author. It has been discovered that the extension is now calling remote scripts. Please see:

https://github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-717648105

and also:

https://github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-717656189

The extension is now injecting a tracker which violates the Privacy Policy (also linked to from the Chrome Web Store) stated here:

https://greatsuspender.github.io/privacy

This privacy policy also has not been updated to reflect that the old owner no longer owns it, who the new owner is, or what their contact information might be. It states that the extension only uses Google Analytics, which is a lie.

The project can no longer be considered as open source, since the owner refuses to make the source open and available for review. It's my belief that this person/entity is acting in bad faith, and poses a danger to the community and to every Chrome user that installs this extension. This person has had every opportunity to clarify what is going on here, but apparently has no interest in transparency or communication.. leaving any reasonable person to wonder, why did they PURCHASE this Chrome extension?

Remote code execution w/o the user's knowledge. Code changes unpublished to GitHub, yet pushed to the Chrome Web Store. New trackers injected. Violating their own privacy policy.

[calumapplepie]

Are trckingbyte.com and trckpath.com part of Open Web Analytics? Because what I am seeing in @deanoemcke's post is him saying that he can't guarantee if the changes made are legitimate analytics or if they're malware

AFAIK, Dean's intention there is to comment that he doesn't know where each user draws the line between analytics and malware. Some people might think any sort of analytics is malware: others might disagree.

As for the trckingbyte.com and trckpath.com paths, they are not involved. They were found in other extensions, but do not appear in the distributed Great Suspender. My comment on the other thread explains what they are, and how they are not related to open web analytics (Okay, they are, but related as "Hackers rewriting open-source software for malicious purposes", not "Official part of system")

I apologize for possibly exacerbating the "panic", but I am just asking, and trying to put a little extra emphasis on this, because when you say:

...on closer investigation, it appeared that _the third-party servers were part of an alternative to Google Analytics...

It just strikes me as sounding a little too forgiving / innocent, though I'm sure that's not your intent.

Actually, it was. The open web analytics system, host of owebanalytics.com, really is a google analytics alternative. The code is hosted on a github repo with 1.3k stars, and there are people elsewhere who like it. The only reason I said "appears to be" is because I am quite busy, and I didn't have time to try and conduct any sort of detailed probe beyond that the website existed and wasn't written by a poor English speaker.

I also want to emphasize, @deanoemcke goes on to say in that post.

Giving the publisher the benefit of doubt, I would say that they have the right to collect extra analytics so long as it is within Google's policies, and is communicated to the user. There is a privacy policy linked on the chrome webstore (which I set up a while ago): https://greatsuspender.github.io/privacy Of course, this assumes that Google are aware of these changes, and also that the linked privacy policy is still accurate.

We know that these new "analytics" were not communicated to the user. They do violate the established privacy policy. They violate Google's policies, as the information provided all over the extension's page at the Web Store is now inaccurate (owner, contact, saying the project is open source, etc) and the privacy policy itself is no longer accurate.

Indeed. This is the biggest reason why I am saying that they "appear malicious": those actions are major red flags, and it is sufficiently suspicious to justify a lot more scrutiny and skepticism than simple mistakes. But there is not yet evidence that they are actually malicious: everything can still be well explained by stupidity.

I'm not saying everything is rosy; there are major problems, right now. But it doesn't appear that we should start fearing for the safety of our passwords.

and @deanoemcke had previously assured us when this sale was announced:

...the project will remain open source and the code here on GitHub will continue to reflect the code published to the chrome webstore.

Although, apparently he cannot be held responsible for the actions of the current owner of the extension. But, this is why mom said you shouldn't make promises that you can't keep.

Yeah, mom seems to be right about a lot.

I appreciate you making this issue @TheMageKing, and I thank you for creating a more centralized location for discussion about this topic, which will hopefully reach more users and give them the information they need in order to make decisions about what to do. I apologize, because I realize much of what I said here is simply repeating what you already provided. I just felt the need to emphasize a couple of things.

Fair enough. I think I will edit that top post, to reflect some of this.

Personally, I reported this extension at the Chrome Web Store on October 29, with the following:

I, too have reported this on the web store. As a general rule, Google has more powers to remediate than Github: given that the source on Github is innocent, I doubt they will do much

I'll also respond to your comment in the other thread here, to condense this discussion more.

@TheMageKing, my comment was in reply to @ossilator's comment here, not to you. Regardless:
Oh, I know. I wanted to clear up some of your confusion.

... The extension is not directly connecting to the trck.... domains. It lacks the permissions to do so, -=-=-= AFAIK =-=-=-. Those sites are definitely malicious: they are hosted via a bitcoin hosting company, and were found in malicious extensions. ...

Honestly, it's nothing personal, but this is exactly the problem. You DO NOT KNOW.

You might not be able to tell, but I hedge what I say quite a bit. I am not a Javascript developer, though I do comprehend it perfectly well. Nor do I design manifests for chrome applications.

By my understanding, based on a reading of the documentation on the subject, Google requires that all websites which the extension can connect to be independently specified in the manifest.json. In the section that I understand to control that, many sites are listed, including google-analytics.com, stats.g.doubleclick.net (the google analytics sites), and cdn.owebanalytics.com. The trck paths are not there, nor does the word 'trck' even appear anywhere in the distributed code.

So while I don't know, I can say that I am as certain as I can be, short of a Google developer stating otherwise.

-=-=-=-=- On a completely unrelated note, I received an email notification at 7:51 Eastern Time that @danupo had commented :

"It looks like there is a "keypressEventHandler" defined that tries to steal the password with external javascript.
In addition, the "getPassword" function and other functions are defined.

As Japanese law prohibits putting any part of the malware code on it, could someone please check this?"

But, for some reason, I cannot find that comment here. @danupo, what's up?

I got that same notification: however, I found no evidence of those functions when I checked. It was very weird. I'm not certain of how to check on the event handler, but I did verify that no "getPassword" function was defined.

[XxX-Force]

Thanks @TheMageKing. I'm just going to stfu and stop commenting about this entire situation because I'm obviously pissed off about the whole thing and my incivility isn't deserved or beneficial to anyone. Genuinely apologize to you and anyone else I may have been rude to. Good luck to all.

[calumapplepie]

You were fine: this is a pretty scary thing going on here.

[skycafemix]

I would like to share my own decision and how it worked for me. THe answer is quite well without TheGreatSuspender so far!

After hearing what has happened, I feel very uncomfortable about TheGreatSuspender even though I really enjoyed it up to now. A quick check shows domains with bitcoin in the name and there is a strong attempt to remain anonymous. There is no way I can trust it. I have used TheGreatSuspender along with Tabs Outliner which I also love.

I decided to buy a Pro license from the author, Vladyslav Volovyk who I found is in the Ukraine. Even though there have been rumors and posts on the extension site, even quite recently about the it being abandonware due to lack of responses, I have found posts by the author elsewhere and he strikes me as being an okay and honest programmer. I cannot hold it against someone if they do not want to dedicate their life to something, and I think it is not abandonware. I decided I trust him far more than TheGreatSuspender, it works offline, and I want the automatic downloads and extra functionality of the non-free version.

I bought Tabs Outliner pro version for about US$14 with a VISA card and it was instant gratification (even though a week ago someone said they could not purchase.) Chrome on a 2019 Macbook Pro. It works great and has automatic backup both local and to Google Drive. I just wanted to post here and let you know I have just converted over 1000 tabs, which means going to each window and unsuspending them, then in Tabs Outliner just click the X to close the entire window. And maybe type a note to name the window, or not. Poof! All those minimized windows from TGS are gone. I started feeling lighter. But the pages can be reopened from the Internet obviously. I think you can even save a downloaded page to it, and you can write notes in the tab bookmark tree and so on. I had seen Chrome slowing everything down (surprising on a new Mac) to the point I had started using Safari in parallel. Well, I saved over 1.5GB according to the Chrome task manager and I feel a lot safer.

I noticed that actually Tabs Outliner even saves windows that had crashed a long, long time ago. But they also were TheGreatSuspender links. So now I am going to each ghost of a crashed window, restoring it from the net or not, and clearing it all out. When done I will fully deactivate and uninstall TheGreatSuspender.

Hope my experience helps. Tabs Outliner works fine in free mode and I have never lost data with it, though somewhere I saw written that Chrome's storage is not bulletproof. At any rate I feel quite happy with my decision and I think TGS anyway was getting unwieldy at 1000 tabs. This was a good opportunity to lose some weight.

[skycafemix]

p.s. as far as storage not being bulletproof I can confirm that some windows that had been suspended with The Great Suspender recently did not survive a chrome crash - TGS was unable to restore them. So frankly, I think the idea of Tabs Outliner is superior to TGS even though it doesn't have the cute anime eyes. Good luck everyone, I do hope some resolution is found and the new pruchaser just turns out to be clueless, but I doubt it. Injecting anything into my data along with the other scary stuff mentioned by others is just not acceptable when I use this computer for work. I feel better without TGS.

[dmuth]

This is concerning, so I too have migrated away from The Great Suspender. I can recommend Tabs Outliner as a good replacement.

[maxxyme]

Thanks guys!!! I think that's definitely the kind of extension I was looking for due to my heavy use of tabs and "contexts" (i.e. links open from the same page). Will try & adopt for sure!!!

[evg-zhabotinsky]

For anyone who is concerned by the "stealth tracking" (i.e. it not being mirrored on Github for some reason), you can always install from source. It is easy: go to chrome://extensions, enable developer mode, click "Load unpacked extension" and point it to the src folder from this repo. Done!

HOWEVER, I DON'T SEE THE CURRENT ISSUE (in itself) AS A REASON TO FREAK OUT:

1. The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:
2. It does not even get loaded if you tick that "Automatic deactivation of any kind of tracking" checkbox in settings:

   
   var owa_baseUrl = 'https://cdn.owebanalytics.com/';
   var owa_cmds = owa_cmds || [];
   function loadOpenWebAnalytics(version) {
   owa_cmds.push(['trackPageView']);
   (function () {
   var _owa = document.createElement('script');
   _owa.type = 'text/javascript';
   _owa.async = true;
   _owa.src =
     owa_baseUrl +
     'owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=klbibkeccnjlkjkiokjodocebajanakg&apikey=2cf3d852ab70d359456ce3a0aac237a3&v=' + version;
   var _owa_s = document.getElementsByTagName('script')[0];
   _owa_s.parentNode.insertBefore(_owa, _owa_s);
   })();
   }

function init() { if (!gsStorage.getOption('trackingOptOut')) { loadGoogleAnalytics( window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga' );

let details = chrome.runtime.getManifest();
loadOpenWebAnalytics(details.version);

} gsAnalytics = gsAnalytics(); }

This is from the actual extension installed from the chrome store, 'trackingOptOut' option is set by that checkbox, and `loadOpenWebAnalytics()` isn't referenced anywhere else.

Yes, this is weird that they "hid" it like that. Might have to do with the hardcoded siteId and apikey, or maybe they "just wanted to experiment with it" (on users' machines, yes, but how else do you experiment with tracking?)

Yes, they handled their PR horrendously, but that doesn't mean they are automatically malicious! (And actually, "any PR is good PR". If it spreads and then it gets proven they did nothing malicious, then more people might use the extension and more would donate to them.)

Personally, I'm going to use the "developer mode install" option, but not to avoid that tracking. Mostly because of #1259 and other autoupdate-related issues, as developer-mode extensions don't get autoupdated.

[evg-zhabotinsky]

Okay, as was mentioned on the other issue, the CDN isn't affiliated with OpenWebAnalytics so it can, in theory, serve anything. However, it can still be disabled with that checkbox. And, technically, I don't think they are violating GPL: The extension literally is the src folder in case of this repo, you can't run it without having the sources, and it also functions substantially without the thirdparty JS library.

[calumapplepie]

@evg-zhabotinsky The GPL violation was a stretch, only important we needed a way to poke the maintainer. Further, the extension on the web store is not just the src folder of this repo: there is a significant difference in the manifest.json.

[evg-zhabotinsky]

@TheMageKing Yes, it is a modified version of the src folder. The point was that you received the modified "sources" when installing the extension so the modifications don't violate GPL.

[ossilator]

to fulfill the license terms, the sources must be complete and in the preferred form. it is not sufficient for satisfying the license that the code can be easily inspected or the complete source pieced together from different sources. this is very much a license violation that any copyright holder on the source can use as leverage, be it to get the extension out of the store, or to kill the (shell) company @deanoemcke has clearly signed an NDA with (i'm assuming that he at least checked that it is a real company). a relevant association like the software freedom conservancy might help with the legalese.

on the technical side, Somebody (TM) should have a look at the jQuery code loaded by the downloaded OWA code - according to https://adguard.com/en/blog/over-20-000-000-of-chrome-users-are-victims-of-fake-ad-blockers.html that's where the malice was hidden in the previous incidents.

[Spidify]

Hi, I am an user of "The Great Suspender" extension for the Google Chrome browser.

My system currently has version 7.1.6 installed of the TGS. And I'm getting the pop-up tabs telling me to upgrade TGS. I do not want to upgrade TGS, much less after reading this thread here.

I have several questions: 1) Can I keep using version 7.1.6 of TGS? How do I stop it from requesting to be updated, as it is doing now in my system? 2) A general question about Google Chrome: Is it true that if I enable "developer mode" inside Google Chrome extensions settings, then no extension will be automatically updated without my manual intervention?

[Poopooracoocoo]

2. A general question about Google Chrome: Is it true that if I enable "developer mode" inside Google Chrome extensions settings, then no extension will be automatically updated without my manual intervention?

Unfortunately you can't disable automatic updates for Chrome or its extensions.

[evg-zhabotinsky]

1. Can I keep using version 7.1.6 of TGS? How do I stop it from requesting to be updated, as it is doing now in my system?

It seems the only "sane" way to stop updates to an extension is to install it from source. And it is easy: Download this repository, go to chrome://extensions, enable developer mode, click "Load unpacked extension" and point it to the src directory. Done! To switch from one instance of extension to the other, I clicked "unsuspend all tabs in all windows" (took a while for over 100 of them), manually copied extension settings, and finally deleted the one from chrome store.

[Spidify]

1. Can I keep using version 7.1.6 of TGS? How do I stop it from requesting to be updated, as it is doing now in my system?

It seems the only "sane" way to stop updates to an extension is to install it from source. And it is easy: Download this repository, go to chrome://extensions, enable developer mode, click "Load unpacked extension" and point it to the src directory. Done! To switch from one instance of extension to the other, I clicked "unsuspend all tabs in all windows" (took a while for over 100 of them), manually copied extension settings, and finally deleted the one from chrome store.

Thanks. I'm doing as you say, and indeed it is easy to install the extension from source once you get the gist of it.

This way, I will keep using The Great Suspender version 7.1.6 installed from source, and let it be at that version. If it works, it needs no fixing nor upgrading! :-)

[stamstamNitzan]

If you want to report the extension you can simply write this: @TheMageKing

The extension was sold to an unknown party. This entity has "updated" the extension to v7.18 w/o publishing changes to Github. It is calling remote scripts and using remote tracking analytics, sending user information somewhere w/o user knowledge. PLEASE SEE: #1175 (comment) AND ALSO: #1175 (comment) .. Owner refuses to communicate or respond to anyone. Can only be considered as malicious/malware at this point. We have no idea what the full changes are to the code, or the ramifications of said changes.

github.com//issues/1175#issuecomment-717656189

github.com//issues/1175#issuecomment-717656189

[duoi]

Any alternative packages recommended?

[stamstamNitzan]

My understanding is that 7.1.6 is the last stable one, but I am not an expert.

[duoi]

I kind of just want to hop off this train altogether at this point, to be honest.

[dmuth]

Any alternative packages recommended?

I've been using Tabs Outliner for a couple of weeks now, and I'm really happy with it. I even bought the paid version!

[skycafemix]

Same here, I have not actually deinstalled GSP yet but have told it to never sleep tabs. I will deinstall it after making sure no past history is desired (since Tabs Outliner knows about long ago slept and crashed tabs too.) Tabs Outliner is working wonderfully well (paid version) and actually has made my work faster since I need to do a lot of research online while working. With the automatic backup both local and to google (not sure where it saves though), and being able to organize pages into folders, closing windows and just opening them from the outliner window when needed it is much better organized and I no longer constantly trend back to 1000 tabs. I can close the window/tabs from Tabs Outliner and it will remember them for later.

[ossilator]

the new web store release 7.1.9 does not contain the presumably malicious code any more. that might be a reaction to the fact that MS Edge started blocking the extension. but note that the permissions in the manifest have not been revoked.

[calumapplepie]

I can confirm what @ossilator says, but my system has yet to automatically update (though the new version is listed on the chrome web store). The new version no longer loads code from owebanalytics.com, as far as I can see, but I still don't trust it.

[stamstamNitzan]

Why not simply sticking with the version that was before the change? It was great as far as I saw.

[Luckz]

Tabs Outliner is working wonderfully well (paid version) and actually has made my work faster since I need to do a lot of research online while working. With the automatic backup both local and to google (not sure where it saves though), and being able to organize pages into folders, closing windows and just opening them from the outliner window when needed it is much better organized and I no longer constantly trend back to 1000 tabs. I can close the window/tabs from Tabs Outliner and it will remember them for later.

Unfortunately since Chromium-like browsers don't allow extensions to persist tabs, Tabs Outliner too only can offer bookmarks: no scroll position, no back/forwards history. I didn't have the best time with https://chrome.google.com/webstore/detail/scrollmark-autosave-scrol/gekidlkidjohjompjafiphdpgejjgklo?hl=en ; I didn't try https://chrome.google.com/webstore/detail/scrollmarks/dhgphpilnllknnoaafmgobkmnialglad?hl=en .

Also, I recently removed Tabs Outliner because of how much it was slowing down my Chrome. Perhaps a non-issue if you don't actually open all that many tabs at the same time. (And there's the annoying duplication bug if you don't close all windows and rather make Chrome restore the session on startup)

[aciidic]

My attempt to remove tracking, notifications & permissions from the latest v7.1.8, for those interested in testing a privacy-preserving version of this plugin.

https://github.com/aciidic/thegreatsuspender-notrack

[cagdas001]

I've also removed The Great Suspender and installed Auto Tab Discard instead. But looks like Auto Tab Discard lacks of session management feature, which was very helpful with The Great Suspender when Chrome fails to restore lost tabs after an unexpected crash/shutdown etc. Are any of you aware of a good alternative that has this feature?

If we have no alternative that has this feature, maybe we, as migraters from The Great Suspender, can create a feature request at Auto Tab Discard repo.

[Poopooracoocoo]

Session Buddy is one alternative. Extensions to replace the session management features were discussed in the other issue @cagdas001 :)

[XxX-Force]

... Are any of you aware of a good alternative that has this feature? ...

You can always just install version 7.16 of The Great Suspender directly from the source. Works fine.

Because I know absolutely nothing about programming, but still didn't want the (fairly innocuous imo) Google Analytics, which was always present in TGS, and the option to disable it is not present in v7.16, I opened the gsAnalytics.js file located in \src\js with NotePad++ and changed line 146 from:

'https://www.google-analytics.com/analytics.js',

To:

'https://0.0.0.0/',

Which threw some error when I then installed TGS, but everything works completely as expected. All of the experienced people here, please don't be too brutal with me lmao, as I'm sure this was a very stupid way of doing things, but again.. zero knowledge of programming anything.

Version 7.16 can be obtained here:

https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6

Instructions for installing it directly from the source code (very easy!) are in the README for the extension, located here:

https://github.com/greatsuspender/thegreatsuspender#install-as-an-extension-from-source

If you choose to install 7.16, make sure that you unsuspend all suspended tabs before disabling / removing the current version.

You may also/alternatively want to consider @aciidic 's fork of the extension, with analytics properly (lol) and other annoyances removed, located here:

https://github.com/aciidic/thegreatsuspender-notrack

I haven't tried it yet, but definitely want to thank @aciidic for it!

Good luck.

[ppp-one]

Perhaps unrelated, but will put here anyway. One of my friends had their email compromised in early Dec 2020 with having this extension (amongst others) installed on Chrome.

[NightMachinery]

I vaguely remember that newer Chrome versions automatically “suspend” tabs from RAM? So if all I care about is performance (not tab organization), why do I need an extension?

[calumapplepie]

I vaguely remember that newer Chrome versions automatically “suspend” tabs from RAM? So if all I care about is performance (not tab organization), why do I need an extension?

Because Chrome's suspension isn't terribly aggressive, isn't as efficient, and will reload a tab if you accidentally open it momentarily.

[berkant]

Thanks for bringing this up. I have wiped this extension from all of my devices + sent an abuse report to Google. I at least suggest you to report abuse.

[ossilator]

there is no point in sending more abuse reports. the owner was caught, they backed out the questionable code, and until they make another attempt in presumably many months, there is no grounds for complaining to google. being a terrible maintainer is no policy violation.

as for the technical merits of TGS, it offers more control over (un-)suspension than chrome's built-ins, as @TheMageKing already pointed out. but chrome's tab discarding is more effective than TGS's "classical" suspending - which is why TGS will use discarding when appropriate and enabled (option "Apply Chrome's built-in memory-saving when suspending").

[TZer0]

@ossilator That sounds like a great way to get hit with malicious code X months down the line to me.

Do you really think someone who attempted to do something malicious after being caught is just going to go "oh, I guess I was doing something malicious, didn't know that, I guess I shouldn't!"?

[sheepdestroyer]

A mysterious new owner that want to remain anonymous, never interacted with the community and silently updates store's build without corresponding commits to the repo? Right, this great extension is now officially a virus provider.

Should we point out that this extension is GPLv2 and that the new owner obviously violated the license? How do we retaliate against license violation? Complain to GitHub? Google?

[ossilator]

the point is that we currently have no leverage against them, as they aren't violating any webstore requirements (not even the license, see your #1288). and until they provably carry out an attack which gets them banned, the 2+ million users will remain vulnerable to that attack. google clearly considers that acceptable, as otherwise they'd have already acted. one can only hope that internally they flagged the extension, so they'd block any update that appears even slightly suspicious.

of course i installed the extension from git, but this is a luxury only a few privileged people can afford.

[Willt125]

Well this is terrifying. I'm no infosec guru, but if someone's pushing releases without updating the git or even the manifest, I'd be shutting the whole thing down NOW, no one in or out (metaphorically, in this case) Is there any way to shut them out, or will we have to Martin Luther the repo?

[mihaimaruseac]

I'm not sure anyone really notified Google.

[sbusch]

I sent a report to Google via the "Report abuse" ("Missbrauch melden" in German) button on extension page. I'm sure that I'm not the only one.

Everyone who also reported the extension to Google could react to this comment with a rocket 🚀 reaction.

[TZer0]

the point is that we currently have no leverage against them, as they aren't violating any webstore requirements (not even the license, see your #1288). and until they provably carry out an attack which gets them banned, the 2+ million users will remain vulnerable to that attack. google clearly considers that acceptable, as otherwise they'd have already acted. one can only hope that internally they flagged the extension, so they'd block any update that appears even slightly suspicious.

of course i installed the extension from git, but this is a luxury only a few privileged people can afford.

Would Google have previous versions? This is such a clear violation of trust that it ought to be enough to pull the entire extension down.

[thibaudcolas]

I’ve spent a bit of time inspecting the owa.tracker-combined-latest.minified.js loaded from cdn.owebanalytics.com by v7.1.8 of the extension (and removed in v7.1.9) – will have to stop now but sharing the details of my findings for others to feed back on / if someone wants to spend more time on this.

TL;DR; the code published in v7.1.8 associates this extension with other extensions that I would consider to be likely adware or malware, either because they contain things I find questionable, or are related to now-unpublished extensions that had even more questionable "phone home" features, and have been reported to inject ads.

---

• As far as I can see this owa.tracker-combined-latest.minified.js file loaded in v7.1.8 is almost identical to one from the source of Open Web Analytics v1.6.2, owa.tracker-combined-min.js. There are two differences. Edit: here is the diff between v1.6.2 and the TGS version.
• There is further minification on the file. As far as I can tell this is just more advanced JS minification, no obfuscation going on.
• There is a hard-coded siteId, which doesn’t match the siteId set as a query parameter of the script URL in the extension’s source. Apparently this is meant to identify the property being tracked, like the Tracking ID in Google Analytics.

The siteId in question is bacakpdjpomjaelpkpkabmedhkoongbi – this is actually the ID of another extension in the Chrome Web Store called Video Downloader professional.

This one file, along with its different minification and hard-coded site id, is an exact match to the file of the same name / path served from the static.trckingbyte.com and static.trckingbyte.com domains – initially mentioned in https://github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-717661094. Those domains are present in the source of different extensions – Auto Refresh Premium, and Stream Video Downloader. I can only guess why one extension’s ID would find itself in other extensions, on different domains – it suggests they’re related, perhaps made by the same person / group of people, but it could also be accidental.

---

From there, I took a look at those other extensions, starting with Video Downloader professional.

• Video Downloader professional opens a tab onto another extension’s store page on install, Video Downloader Plus. That extension also seems to offer a SaaS online download service.
• Both have a web page they show when attempting to download videos from YouTube, which displays ads.
• Video Downloader professional’s store privacy policy page links to http://4kdownloader.net/, which itself references another extension ID that is no longer available on the store, kmdldgcmokdpmacblnehppgkjphcbpnn.
• Installing that older kmdldgcmokdpmacblnehppgkjphcbpnn extension, its "YouTube download page fallback" links to a download page for a Windows .exe YouTube video downloader.
• Oh and – comparing both the old and new extensions, the old version contained hundreds of lines of code with "phone home" / background request / chain redirect / domain blacklist features. This isn’t my area of expertise but to untrained eyes this looks as fishy as it gets, particularly since as far as I can tell the "background processing" and "video download" codes are completely independent of one-another (!?). I’ve made the source available here should someone else want to investigate: https://gist.github.com/thibaudcolas/698e737ce9065bece1f77e12ef38b782.

I’ll stop there. Googling all those extensions, there are references to malware, although it’s not always clear whether they are false positives or not. Taking a brief look at their code / sites, it’s a similar web of at-best questionable practices (unclear who the authors are, links to phishy-looking sites, lack of an apparent business model).

---

Back to The Great Suspender and its new-but-now-gone tracking script – the script currently served by those domains does look like an innocuous Open Web Analytics tracker script. It could well be selectively serving the innocuous script, and on occasion switch over to a more malicious payload. Or it really could just be added tracking. Based on the association with those other extensions, I’d expect TGS will eventually switch to have a similar business model – stay low-profile long enough so people here move on, then cash in on whoever is left unaware of the change of direction.

[alphapapa]

Thanks to all who have been investigating this and spreading the word about it.

We should consider that, if the new owner of the extension and this repo is indeed malicious (and, from a security perspective, one should assume hostile intent, given what's transpired so far), it's likely that the discussion on this issue will be locked and deleted by him at some point. In order to continue the investigation and preserve what's been found so far, the discussion thus far should be mirrored somewhere, and further discussion should probably be held elsewhere. Perhaps someone who's forked the repo could host an issue in their repo, or maybe it could take place on a Gist (if it's to stay on GitHub).

[Nezteb]

Not perfect, but here's an imgur screenshot backup: https://imgur.com/a/q7IbkCr

[aciidic]

https://archive.is/Em1wb

https://archive.is/jdSWW

[joepie91]

I’ve made the source available here should someone else want to investigate: https://gist.github.com/thibaudcolas/698e737ce9065bece1f77e12ef38b782.

I'm currently going through the code and writing up a description of its behaviour, and will report back with more details soon.

[joepie91]

I've published a more readable version of the code here: https://gist.github.com/joepie91/fa55c936438bab8bb977e008e8be82f2

Most parts of the code are remotely configurable, can be rate-limited, and so on.

The general functionality of the code is:

• Intercepts all requests to:
  • Strip out certain response headers (config.validateFields, string)
  • Strip out the Referer header from every request
  • Optionally add in a fake Referer header based on configuration rules (against the current URL, what page the request originates from, etc.)
• Intercepts all pageloads, to:
  • Report their URLs to the API server (max. once every 2 hours per domain), but only for those domains in a remotely-configured list (/coverage API)
  • Generate a new URL, from an affiliate URL template + the request URL, then:
    • Request that URL and optionally receive a new URL in response
    • Either load that URL in the background, or in a new tab

Possible and likely usecases:

• 'Competitor analytics', basically tracking how much traffic competitors get, by tracking requests to their sites
• Advertising fraud (through background requests to advertising servers)
• Adware (by opening new tabs with ads)
• Affiliate fraud (through Referer header manipulation/injection)

Edit: To be clear, these are the risks to you as the user, currently:

• Operator may receive a log of every URL you load, ie. your browsing is not private
• Your browser becomes involved in advertising/affiliate fraud, which may also get you blocked from sites
• You may start seeing ads in new tabs

[nmichaud]

@joepie91 Any risk of password capture? The permission to read/modify data is needed to be able to read out from form elements (say for a login page).