URGENT: SECURITY: New maintainer is probably malicious

[calumapplepie]

TLDR: The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more. In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code distributed by the web store since November, and it does not appear to load the compromised script. However, the malicious maintainer remains in control, however, and can introduce an update at any time. It further appears that, while v7.1.9 was what was listed on the store, those who had the hostile v7.1.8 installed did NOT automatically receive the malware-removing update, and continued running the hostile code until Google force-disabled the extension.

The Great Suspender has been removed from the Chrome Web Store. To recover your tabs, see issue #526, or continue reading The code in the Github repository is currently safe, and the most recent tagged release happened before the transfer of ownership. To use that version, and avoid needing to finagle URL's, enable Chrome developer mode, download and extract a copy of the code, then navigate to your extensions menu and select 'Load Unpacked Extension'.

Some others have had success simply pressing the "back" button on suspended tabs: everyone should note that the site's URL is included in the URL of the suspended page. For a pictorial guide on doing this, see this comment. Further, if you just want to reload lost tabs, you can use some form of File History on Chrome's user profile directory (while chrome is closed!), before restarting chrome and using the extension menu to unsuspend all tabs before your computer realizes the extension is banned again.

Because the malicious code loaded from a server by the extension in version 7.1.8 was heavily obfuscated, it is hard to say what may have been compromised. However, those who did manage to conduct an successful analysis of the code reported no password-stealing functionality in the copies that were archived. Indeed, it is highly unlikely that the extension would have been able to steal passwords. That being said, it is theoretically plausible: see my comment here. If you don't already, I highly recommend using a password manager like Bitwarden, to reduce the difficulty of changing your passwords, and to prevent an site that transmits and stores password information in a insecure way from causing the rest of your accounts to be compromised. Additionally, enabling two factor authentication wherever you can is a very easy and powerful way to make it virtually impossible for an attacker to get your data, even if they managed to retrieve passwords.

Full description of the issue:

@deanoemcke, the original developer, chose to step back from the extension in June 2020. As a replacement maintainer, he chose an unknown entity, who controls the single-purpose @greatsuspender Github account. Much was suspicious about this change, including mention of payment for an open-source extension, and complete lack of information on the new maintainers identity. However, as the new maintainer did nothing for several months, it was believed that there was simply a failed transfer. In October 2020, the maintainer updated chrome store package. The update raised red flags for some users, because the changelog was not modified and there was no tag created in GitHub. On investigation, it appeared that the extension was now connecting to various third-party servers, and executing code from them.

This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works. We would later discover that this was wrong: See below

The discussion continued, however, because the new update also requested additional permissions, including the ability to manipulate all web requests. That lets the extension do what it pleases, including inserting ads, blocking sites, forcible redirects.... This change was supposedly in order to enable new screenshot functionality, but that was unclear, and probably shouldn't be needed.

Furthermore, the web store extension has diverged from its Github source. A minor change in the manifest was now being shipped on the chrome web store, which was not included in Github. This is a major concern: though again, it has a possible innocent explanation. While some think it is illegal given the license on the code, this may not be a GPL violation.. Because the minified script is not part of the extension, the license does not apply to it. Because of Web Store rules, the extension itself can be unpacked and inspected in full, human-readable form, likely satisfying the copyleft restrictions.

As a final red flag, no part of the web store posting has been updated to account for this. @deanoemcke remains listed as the maintainer, and the privacy policy makes no mention of the new tracking or maintainer. It has been several months since the transfer, but almost nothing reflects that change.

@deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'.

On November 6th, @lucasdf discovered a smoking gun that the new maintainer is malicious. Although OpenWebAnalytics is legitimate software, it does not provide the files executed by the extension. Those are hosted on the unrelated site owebanalytics.com, which turns out to be immensely suspicious. That site was created at the same time as the update, and is clearly designed to appear innocent, being hosted on a public webhost, and being given a seemingly innocent homepage from the CentOS project. However, the site contains no real information other than the tracking scripts, appears to have been purchased with BitCoin, and is only found in the context of this extension. Most importantly, the minified javascript differs significantly from that distributed by the OWA project.

@thibaudcolas has done a more detailed analysis then my quick look. He quickly located additional hardcoded values related to other, confirmed malicious extensions, implying that the new maintainer is responsible for them. He also found incredibly suspicious additional information, that makes it clear that the extension was not loading a modified version of OWA, but a trojan disguised as it. OWA has a PHP based backend, but the fakes are using NodeJS. The trojan sets cookies, which OWA doesn't use. The response to certain requests is a completely different type then legitimate OWA. Furthermore, @joepie91 has attempted to deconstruct the minified JS, and believes that the code intercepts all requests, meaning it can track you perfectly, and furthermore manipulates those requests and makes additional advertising requests. That means the author was probably attempting to commit several flavors of advertising fraud, as well as possibly tracking you globally.

While there once appeared to be an innocent explanation for this, I can no longer say that it is remotely likely. Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see. The fact that disabling tracking still works is irrelevant given the fact that most of the 2 million users of this extension have no idea that that option even exists. The fact that the code may not be malware is meaningless in light of the fact that it can be changed without notice, and that it is minified (human-unreadable). The fact that a new version has since been pushed that disables this behavior isn't useful given that any future update reintroduicing the malicious code will occur without notifying the user.

Many users are worried enough about the changes that they completely uninstalled the extension, preferring alternatives instead. That extension has much fewer features, but is slightly better for performance. Others have begun building it from source, and installing it manually. If a person were to try to create a new web store release, they would need to change it significantly enough that Google wouldn't reject it as spam. To simply get a safe version for yourself, see further below. Before removing or modifying the extension on your computer, be sure to unsuspend all tabs, or you WILL lose them (though the original URL's can be extracted from the extension query's, and some are working on scripts to do just that, its easier to do just avoid all that.

Throughout the above discussions, which spanned several issues, now appear in news articles, the new maintainer has never posted on the thread, or interacted in any way with the repository. Despite an ongoing discussion about how they are plotting to destroy us all, they haven't done anything to assuage our concerns: likely in the hope that all those aware of the attack would move on eventually. They aren't dead, as they were quite quick to update the extension when Microsoft removed it for malware, and @deanoemcke reports that they. But the new maintainer might well be a literal cat on a keyboard, for the amount of interaction they have made with the community.

For those who don't want to continue using the extension, alternatives include Tabs Outliner, which lets you place tabs in an outline. Auto Tab Discard is very similar to TGS, however it always reloads the tab when it is focused. Session Buddy allows you to save tabs into "collections", that can be reviewed later, as well as providing security against crashes.

If you enjoy using the extension, and wish to continue using it as it was, download the source code from the Github repository (version 7.1.6), enable developer mode, select "Load unpacked extension", and point it at the /src directory. Bam! You are now running The Great Suspender as @deanoemcke created it. @aciidic has gone further, creating a new repository not under the control of the old maintainer, and with all tracking code removed, here. The Marvellous Suspender is another fork currently on the Chrome Web Store, for those who would prefer not to finagle with developer mode settings.

That concludes my summary. For more information, please do look further down on this thread, or at the original announcement (#1175). An analysis of the script is placed here.. Additional sources began covering this in January 2021, and a lot more picked it up after February Fourth for some bizarre reason that probably has nothing to do with the removal by Google.

Edit log

Edit 01: (2020-11-06) add details from this discussion Edit 02: (2020-11-06) Update to reflect the newly discovered evidence for malice Edit 03: (2020-12-06) Note technique to continue using TGS Edit 04: (2021-01-03) Add "Urgent" to title (and WOW did people start noticing) (thanks twitter) Edit 05: (2021-01-05) Note @thibaudcolas and his analysis. Edit 06: (2021-01-08) Note @thibaudcolas's second analysis, clarify and copyedit throughout, and start adding dates to edits Edit 07: (2021-01-08) Remind about the process of removing the extension, and note a bit more about maintainer Edit 08: (2021-01-08) Last one for today, promise: Reformat edit list and other minor changes throughout, Edit 09: (2021-02-04) Note removal from store Edit 10: (2021-02-04) Fix bold Edit 11: (2021-02-04) Add help for those worried about losing tabs in nice big bold letters Edit 12: (2021-02-04) Add details about password security Edit 13: (2021-02-04) Clarify compromise, beautify edit log Edit 14: (2021-02-04) Obscure the fact that I made my first edits 9 months in the future (fix edit years) Edit 15: (2021-02-05) Clarify probably breaches: regret decision to keep obsessive edit log Edit 16: (2021-02-09) Realize that issue still contained the false implication that users were safe after November.

[joepie91]

@nmichaud I have not seen any code that could do so, in the code provided by @thibaudcolas, and there does not seem to be any "execute arbitrary JS" functionality in there either.

That having been said:

• As I understand it, that code originates from a different extension (Video Downloader), and I have not verified whether the malicious code in this extension is exactly the same.
• As long as the extension is owned by a malicious party, it's always possible for them to push an update later that can steal passwords. Likewise, they may have pushed an update that does so in the past (and removed the functionality later) that noone has noticed yet.

If the malicious code in this extension comes from the same source as Video Downloader, then most likely your passwords will not have been at risk, also because the publisher mainly seems interested in various forms of large-scale advertising fraud, and accounts aren't often useful there.

But there's no way to be 100% sure without going through the release history of the extension, and verifying that none of them contained any additional malicious code (which I unfortunately don't have the time for today).

UPDATE: This conclusion turned out to be possibly-wrong. See below.

[calumapplepie]

@thibaudcolas @joepie91 Thank you both for the detailed analysis! I have edited the top post to reflect it.

As for @thibaudcolas's idea that people will move on: bad news! Until I added 'urgent' to the title, the thread basically died: people have been reporting other, new issues to the repository, which tells me nobody notices when it just says "security". In short, they're doing quite well at acheiving their goal of 'getting everyone to forget', by literally doing nothing.

That said, @joepie91, keep in mind that the suspicious code posted by @thibaudcolas isn't part of the extension. The extension (contained) code to download and execute javascript from a remote, suspicous-looking server: that is what you analyzed. It is already executing arbitrary JS; and while the latest update removed that (we think), it can be brought back anytime.

[joepie91]

That said, @joepie91, keep in mind that the suspicious code posted by @thibaudcolas isn't part of the extension. The extension (contained) code to download and execute javascript from a remote, suspicous-looking server: that is what you analyzed. It is already executing arbitrary JS; and while the latest update removed that (we think), it can be brought back anytime.

Aha, I missed that detail. In that case, yes, it's possible that anything could have been run, including password-stealing code :(

(It actually kind of baffles me that extensions are allowed to access the extension API from downloaded code, then, but that's a whole separate discussion...)

[jeysal]

it's likely that the discussion on this issue will be locked and deleted by him at some point

Possible, but that would basically instantly confirm the suspicion, and the majority of possibly targeted users that are less tech-savvy would not see this thread anyway. It seems zero communication would actually be an effective strategy given malicious intent, which makes it even more valuable that there are people monitoring and analyzing the releases :clap:

[furettino]

@thibaudcolas @joepie91 Thank you both for the detailed analysis! I have edited the top post to reflect it.

As for @thibaudcolas's idea that people will move on: bad news! Until I added 'urgent' to the title, the thread basically died: people have been reporting other, new issues to the repository, which tells me nobody notices when it just says "security". In short, they're doing quite well at acheiving their goal of 'getting everyone to forget', by literally doing nothing. [snip]

No doubt you're all already aware, but this was circulated by a number of Infosec Twitter accounts yesterday, which is how I learned of it, so it's getting some wider exposure.

[nmichaud]

But there's no way to be 100% sure without going through the release history of the extension, and verifying that none of them contained any additional malicious code (which I unfortunately don't have the time for today).

Also since they control the endpoint where the code was fetched, they could have substituted a malicious payload at any time and likely it would never be caught (I wonder how much data is provided by client-side fetch code - like the recent event-stream issue (https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets), its possible this change could have been targeted at a particular user of TGS).

[dismantl]

No doubt you're all already aware, but this was circulated by a number of Infosec Twitter accounts yesterday, which is how I learned of it, so it's getting some wider exposure.

Yes it is now in Life Hacker. Keeping the new maintainer's identity secret is downright irresponsible and unethical given the likelihood of a malicious maintainer and the extension having over 1M+ installs.

[wylie39]

I ended up just makeing my own version from before the new maintainer took over, see: https://github.com/wylie39/Thesuspender

I tried to submit it to the Webstore but got denied because it was too similar.

[thibaudcolas]

Picking this back up – I went back to the owa.tracker-combined-latest.minified.js that was loaded by v7.1.8 of the extension, and found more definitive evidence that this is indeed not Open Web Analytics, but another application trying to pass for it.

Inspecting the response headers, rather than the actual script:

$ curl -I 'https://cdn.owebanalytics.com/owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=klbibkeccnjlkjkiokjodocebajanakg&apikey=2cf3d852ab70d359456ce3a0aac237a3&v=7.1.8'
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Tue, 05 Jan 2021 22:21:49 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Set-Cookie,Content-Type
Set-Cookie: sjkid=679c4ee0-4fa4-11eb-aa0b-9d2325fcbc69; Path=/; Expires=Mon, 13 Nov 2023 14:21:49 GMT; Secure; SameSite=None
Allow: GET
Vary: Accept-Encoding
Via: 1.1 vegur

Massive red flags: X-Powered-By: Express (served by Node.js), and setting a sjkid cookie. OWA is PHP-based, and doesn’t set any cookies when serving its tracker script.

Here are the response headers of a legit OWA implementation for reference,

``` $ curl -I http://www.openwebanalytics.com/wp-content/plugins/owa/modules/base/js/owa.tracker-combined-min.js HTTP/1.1 200 OK Date: Tue, 05 Jan 2021 22:27:37 GMT Server: Apache Upgrade: h2 Connection: Upgrade Last-Modified: Wed, 13 May 2020 01:41:52 GMT ETag: "12bf6-5a57daf375e4c" Accept-Ranges: bytes Content-Length: 76790 Cache-Control: max-age=2592000 Expires: Thu, 04 Feb 2021 22:27:37 GMT Vary: Accept-Encoding,User-Agent Content-Type: application/javascript ```

There are valid reasons for some headers to differ when serving static files, but not those headers. To corroborate all of this I also loaded the extension in a sandboxed Chrome and inspected its fake tracking pixel requests. The request to log.php looks like what a normal OWA client would send, but the response doesn’t match what the OWA backend is meant to serve.

TGS fake tracking pixel log.php response vs real OWA implementation

``` curl -I 'https://cdn.owebanalytics.com/log.php?owa_timestamp=1609886290&owa_event_type=base.page_request&owa_visitor_id=1609886217541603325&owa_fsts=1609886217&owa_dsfs=0&owa_last_req=1609886217&owa_session_id=1609886217488590504&owa_nps=1&owa_dsps=0&owa_medium=direct&owa_source=%28none%29&owa_search_terms=%28none%29&owa_session_referer=%28none%29&owa_page_url=chrome-extension%3A%2F%2Fgkgkjnibjgollfdknieejhejimddigep%2F_generated_background_page.html&owa_HTTP_REFERER=&owa_page_title=&owa_site_id=&' \ -H 'Connection: keep-alive' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4379.0 Safari/537.36' \ -H 'Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8' \ -H 'Sec-Fetch-Site: none' \ -H 'Sec-Fetch-Mode: no-cors' \ -H 'Sec-Fetch-Dest: image' \ -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \ -H 'Cookie: sjkid=84211c60-4fa6-11eb-a0f4-45a5ca107f8d' \ --compressed HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Tue, 05 Jan 2021 22:43:10 GMT Connection: keep-alive X-Powered-By: Express Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: Set-Cookie,Content-Type Via: 1.1 vegur ``` And the real OWA instance – that serves a 1px GIF as expected: ``` curl -I 'http://www.openwebanalytics.com/wp-content/plugins/owa/log.php?owa_timestamp=1609883437&owa_event_type=base.page_request&owa_user_name=&owa_page_type=Search+Results&owa_page_title=Search+Results+for+%22node%22&owa_visitor_id=1609882775092400392&owa_fsts=1609882775&owa_dsfs=0&owa_last_req=1609882859&owa_session_id=1609882775856888878&owa_nps=0&owa_dsps=0&owa_medium=direct&owa_source=%28none%29&owa_search_terms=%28none%29&owa_session_referer=%28none%29&owa_site_id=b07455aa2c46698dbb2d053f96447dfb&owa_page_url=http%3A%2F%2Fwww.openwebanalytics.com%2F%3Fs%3Dnode&owa_HTTP_REFERER=http%3A%2F%2Fwww.openwebanalytics.com%2Fabout%2F&' \ -H 'Connection: keep-alive' \ -H 'Pragma: no-cache' \ -H 'Cache-Control: no-cache' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' \ -H 'Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8' \ -H 'Referer: http://www.openwebanalytics.com/?s=node' \ -H 'Accept-Language: en-US,en;q=0.9,fi;q=0.8,fr;q=0.7,ja;q=0.6' \ -H 'Cookie: owa_v=cdh%3D%3Ee888e24d%7C%7C%7Cvid%3D%3E1609882775092400392%7C%7C%7Cfsts%3D%3E1609882775%7C%7C%7Cdsfs%3D%3E0%7C%7C%7Cnps%3D%3E0; owa_s=cdh%3D%3Ee888e24d%7C%7C%7Clast_req%3D%3E1609883437%7C%7C%7Csid%3D%3E1609882775856888878%7C%7C%7Cdsps%3D%3E0%7C%7C%7Creferer%3D%3E%28none%29%7C%7C%7Cmedium%3D%3Edirect%7C%7C%7Csource%3D%3E%28none%29%7C%7C%7Csearch_terms%3D%3E%28none%29' \ --compressed \ --insecure HTTP/1.1 200 OK Date: Tue, 05 Jan 2021 22:42:15 GMT Server: Apache Content-encoding: none Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate Expires: Wed, 11 Jan 2000 12:59:00 GMT Pragma: no-cache Upgrade: h2 Connection: Upgrade, Keep-Alive Content-Length: 42 Last-Modified: Wed, 11 Jan 2006 12:59:00 GMT Vary: User-Agent Keep-Alive: timeout=2, max=100 Content-Type: image/gif ```

And for a final quick check – looking at the real OWA’s source code, its log.php requests are meant to serve a redirect on POST requests. That makes it pretty easy to spot the fakes:

# Real OWA, redirecting as expected.
$ curl -I -X POST http://www.openwebanalytics.com/wp-content/plugins/owa/log.php
HTTP/1.1 302 Found
# Fake OWA, 200 OK.
$ curl -I -X POST https://cdn.owebanalytics.com/log.php
HTTP/1.1 200 OK

[reinux]

Extension shops and package managers really ought to consider the option of installing from a source repo or checking the compiled/minified checksum against something generated by AppVeyor or similar whenever that's an option.

[nmichaud]

Also google should stop automatic updates of extensions.

On Wed, Jan 6, 2021, 10:33 AM reinux notifications@github.com wrote:

Extension shops and package managers really ought to consider the option of installing from a source repo or checking the compiled/minified checksum against something generated by AppVeyor or similar whenever that's an option.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-755369546, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE6H7WKLZE34YBYCZHAZQDSYR7FXANCNFSM4TI37TGQ .

[gideontong]

Also google should stop automatic updates of extensions.

I think in general, automatic updates are good, but there should be a method of disabling updates for a specific extension.

[SoftWyer]

Saw this on The Register site. Thanks for helping raise awareness.

[christhomas]

Isn't this GPL/LGPL licenced software? Why doesn't some interested person clone this repository and create a new extension called "The Awesome Suspender" and relaunch it and we could maybe gain some of that trust back. Maybe some rebranding might be necessary because of copyrights. But it's not like there is a shortage of open source designers who might create a new logo for free.

Isn't that the best idea? Instead of constantly being scared that this developer will pull another malicious stunt. Of course you'd have to then put your trust in another possibly unknown third party entity that you also don't know. But perhaps if that new person/company is communicative and makes the right steps forward, trust can be gained back.

You already have zero trust right now, so even if I clone the repo, you can at least look at my work online, see my history in google etc, email me and probably I'd reply to you. Etc. etc. 1% trust is greater than 0%, right?

[Poopooracoocoo]

@christhomas unfortunately google has declined a few people's submissions as it's "too similar". not including malware is a massive difference tho if you ask me

[sheepdestroyer]

@christhomas And even if posting a clean fork to Google Web Store was allowed by Google, that would not be of much help to the million+ current users unaware of the situation and still blindly trusting the old extension

[Willt125]

In an ideal dream world, there'd be a way to link an extension/app/gadget to its associated repo, and it's really hard to unlink them. Once linked, the ONLY way to push a release is through the repo. . . Not sure how practical that would be, but it's a thought.

[S10MC2015]

In an ideal dream world, there'd be a way to link an extension/app/gadget to its associated repo, and it's really hard to unlink them. Once linked, the ONLY way to push a release is through the repo. . . Not sure how practical that would be, but it's a thought.

this would be easily possible but the problem is: 1) Not all extensions want to be OS 2) You can send a release with code not built from the repo

[Willt125]

this would be easily possible but the problem is: 1) Not all extensions want to be OS 2) You can send a release with code not built from the repo

😔 Yeah, it definitely wasn't a fleshed out thought, but it at the very least makes it harder to slip them past other maintainers

[joepie91]

Isn't this GPL/LGPL licenced software?

That's... a good point, actually. This extension includes code from external contributors, which means that the original author cannot have transferred the full copyright to the buyer of the extension.

Which means that the mysterious buyer is violating the license, and therefore its copyright. Which means that any of the contributors could sue the buyer, whether their identity is known or not.

[christhomas]

That’s not a license violation unless the L/GPL was violated. If you contribute code or include other LGPL code then it’s fine.

So it depends on the circumstances. Do you know any specifics? On 7. Jan 2021, 15:10 +0100, Sven Slootweg notifications@github.com, wrote:

Isn't this GPL/LGPL licenced software? That's... a good point, actually. This extension includes code from external contributors, which means that the original author cannot have transferred the full copyright to the buyer of the extension. Which means that the mysterious buyer is violating the license, and therefore its copyright. Which means that any of the contributors could sue the buyer, whether their identity is known or not. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[nmichaud]

I think the violation is releasing a new version of TGS with additional code (the tracking code) but not providing that code as required under the GPL license.

On Thu, Jan 7, 2021 at 9:31 AM Christopher Thomas notifications@github.com wrote:

That’s not a license violation unless the L/GPL was violated. If you contribute code or include other LGPL code then it’s fine.

So it depends on the circumstances. Do you know any specifics? On 7. Jan 2021, 15:10 +0100, Sven Slootweg notifications@github.com, wrote:

Isn't this GPL/LGPL licenced software? That's... a good point, actually. This extension includes code from external contributors, which means that the original author cannot have transferred the full copyright to the buyer of the extension. Which means that the mysterious buyer is violating the license, and therefore its copyright. Which means that any of the contributors could sue the buyer, whether their identity is known or not. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-756151579, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE6H7RGTRQOKMXS3C73Z63SYXAUVANCNFSM4TI37TGQ .

--

Naveen Michaud-Agrawal

[reinux]

Google is apparently releasing a new Manifest v3 extension API that'll kill WebRequest. Anyone know what the effect of this will be on TGS or the tracker it calls?

I'm wondering if maybe this is why they aren't bothering to remove TGS from the store, or if they genuinely just don't care -- even though it still doesn't excuse the fact that they aren't immediately taking action on something this dangerous and widespread.

[briantully]

Thanks for this detailed summary, everyone! Quick question that I'm hoping someone might be able to help resolve. I'm currently working on a project that forced me to have dozens of tabs open in chrome (so many moving parts). However now that Chrome has blocked The Great Suspender, all of my suspended tabs are broken since the extension is no longer enabled. I've downloaded the source code from this repo and loaded the extension unpacked (tag 7.1.6), however the tabs that were suspended are still broken due to the chrome extension namespace being different. I see there is an option to load sessions from within TGS's UI, but I don't know where or if TGS stores those sessions so that I can restore the suspended tabs with the unpacked extension. Does anyone know if this is even possible or am I SOL?

[nmichaud]

Chrome has now blocked "The Great Suspender"?

[sbusch]

I can still search for TGS in (German) chrome web store, and add it ("Hinzufügen"):

[cverond]

Thanks for this detailed summary, everyone! Quick question that I'm hoping someone might be able to help resolve. I'm currently working on a project that forced me to have dozens of tabs open in chrome (so many moving parts). However now that Chrome has blocked The Great Suspender, all of my suspended tabs are broken since the extension is no longer enabled. I've downloaded the source code from this repo and loaded the extension unpacked (tag 7.1.6), however the tabs that were suspended are still broken due to the chrome extension namespace being different. I see there is an option to load sessions from within TGS's UI, but I don't know where or if TGS stores those sessions so that I can restore the suspended tabs with the unpacked extension. Does anyone know if this is even possible or am I SOL?

Having Google blocked TGS the only way I can see is extract the original URL from the TGS URL in every page (query parameter 'url', if I'm not wrong).

I was lucky to replace it this morning with a local version, all I had to do was to resume every tab with the original TGS, turn original TGS off in extensions and enable the local TGS version.

[briantully]

Having Google blocked TGS the only way I can see is extract the original URL from the TGS URL in every page (query parameter 'url', if I'm not wrong).

Oh wow, how did I not see that in the address bar! Thank you so much, @cverond -- you're a lifesaver! 🍺 🍺 🍺

[reinux]

I kind of want to point out that you can probably use a plugin like URL Rewriter to do it semi-automatically if you have hundreds of tabs like I do, but that's another extension, so...

[nfultz]

Having Google blocked TGS the only way I can see is extract the original URL from the TGS URL in every page (query parameter 'url', if I'm not wrong).

If you have a lot of tabs, here's the code I wrote to make my tab manager compatible with TGS:

https://github.com/njnmco/odinochka/blob/65d7d9775c143a0c7086b8b751fbf8e9a6bd67a2/background.js#L77-L83

You can use either use the snippet directly via the console, or load the extension, save all the tabs to it, and reopen all the tabs.

[joepie91]

I think the violation is releasing a new version of TGS with additional code (the tracking code) but not providing that code as required under the GPL license.

Indeed, that is what I am referring to.

[S10MC2015]

Having Google blocked TGS the only way I can see is extract the original URL from the TGS URL in every page (query parameter 'url', if I'm not wrong).

If you have a lot of tabs, here's the code I wrote to make my tab manager compatible with TGS:

https://github.com/njnmco/odinochka/blob/65d7d9775c143a0c7086b8b751fbf8e9a6bd67a2/background.js#L77-L83

You can use either use the snippet directly via the console, or load the extension, save all the tabs to it, and reopen all the tabs.

Hey, if it is ok, can I make a mini extension out of your code and publish it as something like Great Unsuspender (if I manage to figure out how chrome extensions and js works)?

function cleanTabData() {
    if(document.URL.startsWith("chrome-extension") &&
       document.URL.indexOf("/suspended.html#") > -1) {
            unsuspendurl = document.URL.substr(document.URL.lastIndexOf("&uri=")+5);
    }
    return unsuspendurl;
}

[nfultz]

Hey, if it is ok, can I make a mini extension out of your code and publish it as something like Great Unsuspender (if I manage to figure out how chrome extensions and js works)?

Sure, feel free. You can email me if you have any questions.

[whereisaaron]

To raise attention with Google, when you remove the extension, also 'Report Abuse', select 'harmful to computer/data' and in the comments reference this issue, the Register article, and/or the Lifehacker article. A few hundred reports should count as a signal to get a human to look at it.

[calumapplepie]

Okay, so I made a bunch of updates to the top post, to reflect the Latest News (tm), and to help onboard people new to the issue better.

[nfultz]

@TheMageKing The new update looks good; however, I would not recommend OneTab to people or link to it. Although it didn't execute remote code, it does have some similar (and worse) tracking / privacy issues - I mentioned this on the other GH issue.

[S10MC2015]

I would also not recommended onetab for the fact that you can randomly lose all of your tabs with no way to recover.

On Fri, 8 Jan 2021, 15:56 Neal Fultz, notifications@github.com wrote:

@TheMageKing https://github.com/TheMageKing The new update looks good; however, I would not recommend OneTab to people or link to it. Although it didn't execute remote code, it does have some similar (and worse) tracking / privacy issues - I mentioned this on the other GH issue.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-756832316, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHJITPBHDSYEPIPYRROG2JDSY4TLNANCNFSM4TI37TGQ .

[PxSonny]

So by precaution I am stopping to use the extension deployed on Chrome Store. But what about building the extension by myself and installing myself. Did anyone audit the current source code? Good or no good?

[ossilator]

i didn't do a full audit, but looked at the git commits since the owner transfer, and i didn't see anything fishy in there.

mind my comment if you want to switch while having suspended tabs (use session buddy or some such to carry over that session).

[RachelScodes]

Apparently it is already removed/deactivated for some users on chrome (possibly by region?), but the best way to let new people know is by seeing/leaving a review.

BUT the only way to get these negative reviews actually seen is to rate them helpful. If you have time, go to the reviews tab, sort by recent, and mark the reviews helpful if they point out it's malware: https://chrome.google.com/webstore/detail/the-great-suspender/klbibkeccnjlkjkiokjodocebajanakg

Hopefully this prevents new people from installing the extension if it hasn't been blocked yet in their region.

[thibaudcolas]

While we’re at it, here is a list of related malicious extensions I’ve been putting together, in case people here are using them / want to report more:

• Auto Refresh Premium, static.trckljanalytic.com
• Stream Video Downloader, static.trckpath.com
• Custom Feed for Facebook, api.trackized.com
• Notifications for Instagram, pc.findanalytic.com
• Flash Video Downloader, static.trackivation.com
• Ratings Preview for YouTube, cdn.webtraanalytica.com

All of these have their own tracking domain set up, all serving the same fake owa.tracker-combined-latest.minified.js as described in https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-754683847.

I don’t think there is a way to batch-search the source of many extensions unfortunately, aside from Google doing it themselves. If they do I’m sure they should have no problem finding even more. The list above are only the ones I’ve confirmed to contain the same malicious code in their latest version as of today. All in all so far I found 12 extensions that seem to be maintained by this same group.

If you’re wondering how they work, someone on reddit described the type of malware/adware they got with the Ratings Preview extension. This description matches the findings from @joepie91 https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-754683847 on another (now unpublished) extension that appears to have been built by the new maintainers of TGS.

[nfultz]

@thibaudcolas That's fantastic, thank you for sharing that. I did a writeup for the UAS compromise but I think it was a different group.

Like I wrote in my doc, more of this could get detected earlier and easier if Google allowed peer review for extensions rather than keeping it in house, where submissions often sit in the review queue for weeks. You've clearly put more effort into figuring out what the extensions actually do than they have.

[minig0d]

Not sure if anything changed but still comes up for me in the web store (including in incognito tab just searching by name). Possibly reinstated with the version update?
https://chrome.google.com/webstore/detail/the-great-suspender/klbibkeccnjlkjkiokjodocebajanakg

Honestly, I look at the code of all extensions before I install them now, and so many of them have tracking code it's rediculous. And I'm not talking about just small amounts, many of them, the amount of tracking code exceeds the actual functionality of the extension's code.

While it won't be a permanent replacement for TGS, Chrome's new Tabs Groups Collapse Freezing seems like a pretty interesting substitute (warning still experimental and not stable for daily use yet: chrome://flags/#tab-groups-collapse-freezing)

[aciidic]

For what it's worth, I've been running the notrack version of this plugin that I published without any reported issues since its release - on a corporate network.

Github API shows over 600 downloads so I am happy to have provided, to those who could not do without this plugin, a no-nonsense version that is without tracking or "anonymous" statistical data collection.

[aciidic]

For what it's worth, I've been running the notrack version of this plugin that I published without any reported issues since its release - on a corporate network.

Github API shows over 600 downloads so I am happy to have provided, to those who could not do without this plugin, a no-nonsense version that is without tracking or "anonymous" statistical data collection.

Also worth noting that I included instructions, on my readme, on how to automatically install the plugin to your Windows clients via group policy.

[minig0d]

For what it's worth, I've been running the notrack version of this plugin that I published without any reported issues since its release - on a corporate network.

Github API shows over 600 downloads so I am happy to have provided, to those who could not do without this plugin, a no-nonsense version that is without tracking or "anonymous" statistical data collection.

I definitely applaud the effort! Unfortunately, I think the vast majority won't switch over unless it's in the chrome store

I skimmed the code for the latest version and it does look like it was reverted to Google Analytics... and the analytics do appear to be correctly disabled when you check the box in preferences... My only qualm with it is that once this kind of thing happens its hard to trust them ever again...

But honestly, have you tried chrome lately without this ext? I've been running it the past few days and the built in memory management is MUCH better than it used to be. With TGS, suspended tabs seem to use about 30MB ram (without screenshots enabled)... unsuspended now in chrome they are hovering at 45MB... not great and not as good as Chromium Edge... but better than I've ever seen Chrome.

[skoshy]

I appreciate the notrack version, but I need something easy-to-install from the Chrome Webstore as well for friends/family. Could this version be viable?

https://github.com/gioxx/MarvellousSuspender https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa

[S10MC2015]

For what it's worth, I've been running the notrack version of this plugin that I published without any reported issues since its release - on a corporate network.

Github API shows over 600 downloads so I am happy to have provided, to those who could not do without this plugin, a no-nonsense version that is without tracking or "anonymous" statistical data collection.

I appreciate the notrack version, but I need something easy-to-install from the Chrome Webstore as well for friends/family. Could this version be viable?

https://github.com/gioxx/MarvellousSuspender https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa

@aciidic considering marvelous managed to get through you may be able to publish by calling your thing something like "notrack suspender"

[minig0d]

I appreciate the notrack version, but I need something easy-to-install from the Chrome Webstore as well for friends/family. Could this version be viable?

https://github.com/gioxx/MarvellousSuspender https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa

I'm really surprised they allowed it... would have to diff the extension with the original to confirm if anything has been altered but it may be. I guess the question is whether the fork and republication is permitted under the licensure terms, or if the author is just planning on reporting it and it being taken back down.

Side rant: I wish Google permitted third party repositories (aside from GPO)... As much stuff as I've found validating published extensions, the chrome store can't be much better than nothing...

IMO I will either 1) probably just pack my own .crx with known good code and sideload it for a handful of family... (i.e. no chrome store url in the manifest so it can't auto update) OR 2) setup a site monitor on the webstore page to get notified if the new publisher decides to update the extension in the future so the code can be reviewed...

Side question: has there been any indication that the new owner actually intends to ever update this? Or was it just one of those attempts to acquire a bunch of users for another reason? I suspect chrome's internal memory handling will continue to be much better given the latest changes and so hopefully one of these routes holds us over until then...

[minig0d]

FWIW I snatched the crx (compiled extension) off the chrome webstore and it does appear to be identical to what you see on github (in the top 2 screenshots the left is the zip from github, right is the extracted crx).

I have NOT done a thorough review, of the code, but third screenshot is a diff of gsAnalytics.js from The Marvelous ext and right is from 7.1.9 of TGS that's currently on the chrome store... you can see where TGS does implement an opt out. (the GA token doesn't appear to have been changed so whoever forked it doesn't seem like this was intentional, it was just forked from a version prior to the opt out. Again I have NOT done a thorough review and the analytics may be neutered in a different part of the script and the script was included in the package is all I can say about the fork.