URGENT: SECURITY: New maintainer is probably malicious

[calumapplepie]

TLDR: The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more. In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code distributed by the web store since November, and it does not appear to load the compromised script. However, the malicious maintainer remains in control, however, and can introduce an update at any time. It further appears that, while v7.1.9 was what was listed on the store, those who had the hostile v7.1.8 installed did NOT automatically receive the malware-removing update, and continued running the hostile code until Google force-disabled the extension.

The Great Suspender has been removed from the Chrome Web Store. To recover your tabs, see issue #526, or continue reading The code in the Github repository is currently safe, and the most recent tagged release happened before the transfer of ownership. To use that version, and avoid needing to finagle URL's, enable Chrome developer mode, download and extract a copy of the code, then navigate to your extensions menu and select 'Load Unpacked Extension'.

Some others have had success simply pressing the "back" button on suspended tabs: everyone should note that the site's URL is included in the URL of the suspended page. For a pictorial guide on doing this, see this comment. Further, if you just want to reload lost tabs, you can use some form of File History on Chrome's user profile directory (while chrome is closed!), before restarting chrome and using the extension menu to unsuspend all tabs before your computer realizes the extension is banned again.

Because the malicious code loaded from a server by the extension in version 7.1.8 was heavily obfuscated, it is hard to say what may have been compromised. However, those who did manage to conduct an successful analysis of the code reported no password-stealing functionality in the copies that were archived. Indeed, it is highly unlikely that the extension would have been able to steal passwords. That being said, it is theoretically plausible: see my comment here. If you don't already, I highly recommend using a password manager like Bitwarden, to reduce the difficulty of changing your passwords, and to prevent an site that transmits and stores password information in a insecure way from causing the rest of your accounts to be compromised. Additionally, enabling two factor authentication wherever you can is a very easy and powerful way to make it virtually impossible for an attacker to get your data, even if they managed to retrieve passwords.

Full description of the issue:

@deanoemcke, the original developer, chose to step back from the extension in June 2020. As a replacement maintainer, he chose an unknown entity, who controls the single-purpose @greatsuspender Github account. Much was suspicious about this change, including mention of payment for an open-source extension, and complete lack of information on the new maintainers identity. However, as the new maintainer did nothing for several months, it was believed that there was simply a failed transfer. In October 2020, the maintainer updated chrome store package. The update raised red flags for some users, because the changelog was not modified and there was no tag created in GitHub. On investigation, it appeared that the extension was now connecting to various third-party servers, and executing code from them.

This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works. We would later discover that this was wrong: See below

The discussion continued, however, because the new update also requested additional permissions, including the ability to manipulate all web requests. That lets the extension do what it pleases, including inserting ads, blocking sites, forcible redirects.... This change was supposedly in order to enable new screenshot functionality, but that was unclear, and probably shouldn't be needed.

Furthermore, the web store extension has diverged from its Github source. A minor change in the manifest was now being shipped on the chrome web store, which was not included in Github. This is a major concern: though again, it has a possible innocent explanation. While some think it is illegal given the license on the code, this may not be a GPL violation.. Because the minified script is not part of the extension, the license does not apply to it. Because of Web Store rules, the extension itself can be unpacked and inspected in full, human-readable form, likely satisfying the copyleft restrictions.

As a final red flag, no part of the web store posting has been updated to account for this. @deanoemcke remains listed as the maintainer, and the privacy policy makes no mention of the new tracking or maintainer. It has been several months since the transfer, but almost nothing reflects that change.

@deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'.

On November 6th, @lucasdf discovered a smoking gun that the new maintainer is malicious. Although OpenWebAnalytics is legitimate software, it does not provide the files executed by the extension. Those are hosted on the unrelated site owebanalytics.com, which turns out to be immensely suspicious. That site was created at the same time as the update, and is clearly designed to appear innocent, being hosted on a public webhost, and being given a seemingly innocent homepage from the CentOS project. However, the site contains no real information other than the tracking scripts, appears to have been purchased with BitCoin, and is only found in the context of this extension. Most importantly, the minified javascript differs significantly from that distributed by the OWA project.

@thibaudcolas has done a more detailed analysis then my quick look. He quickly located additional hardcoded values related to other, confirmed malicious extensions, implying that the new maintainer is responsible for them. He also found incredibly suspicious additional information, that makes it clear that the extension was not loading a modified version of OWA, but a trojan disguised as it. OWA has a PHP based backend, but the fakes are using NodeJS. The trojan sets cookies, which OWA doesn't use. The response to certain requests is a completely different type then legitimate OWA. Furthermore, @joepie91 has attempted to deconstruct the minified JS, and believes that the code intercepts all requests, meaning it can track you perfectly, and furthermore manipulates those requests and makes additional advertising requests. That means the author was probably attempting to commit several flavors of advertising fraud, as well as possibly tracking you globally.

While there once appeared to be an innocent explanation for this, I can no longer say that it is remotely likely. Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see. The fact that disabling tracking still works is irrelevant given the fact that most of the 2 million users of this extension have no idea that that option even exists. The fact that the code may not be malware is meaningless in light of the fact that it can be changed without notice, and that it is minified (human-unreadable). The fact that a new version has since been pushed that disables this behavior isn't useful given that any future update reintroduicing the malicious code will occur without notifying the user.

Many users are worried enough about the changes that they completely uninstalled the extension, preferring alternatives instead. That extension has much fewer features, but is slightly better for performance. Others have begun building it from source, and installing it manually. If a person were to try to create a new web store release, they would need to change it significantly enough that Google wouldn't reject it as spam. To simply get a safe version for yourself, see further below. Before removing or modifying the extension on your computer, be sure to unsuspend all tabs, or you WILL lose them (though the original URL's can be extracted from the extension query's, and some are working on scripts to do just that, its easier to do just avoid all that.

Throughout the above discussions, which spanned several issues, now appear in news articles, the new maintainer has never posted on the thread, or interacted in any way with the repository. Despite an ongoing discussion about how they are plotting to destroy us all, they haven't done anything to assuage our concerns: likely in the hope that all those aware of the attack would move on eventually. They aren't dead, as they were quite quick to update the extension when Microsoft removed it for malware, and @deanoemcke reports that they. But the new maintainer might well be a literal cat on a keyboard, for the amount of interaction they have made with the community.

For those who don't want to continue using the extension, alternatives include Tabs Outliner, which lets you place tabs in an outline. Auto Tab Discard is very similar to TGS, however it always reloads the tab when it is focused. Session Buddy allows you to save tabs into "collections", that can be reviewed later, as well as providing security against crashes.

If you enjoy using the extension, and wish to continue using it as it was, download the source code from the Github repository (version 7.1.6), enable developer mode, select "Load unpacked extension", and point it at the /src directory. Bam! You are now running The Great Suspender as @deanoemcke created it. @aciidic has gone further, creating a new repository not under the control of the old maintainer, and with all tracking code removed, here. The Marvellous Suspender is another fork currently on the Chrome Web Store, for those who would prefer not to finagle with developer mode settings.

That concludes my summary. For more information, please do look further down on this thread, or at the original announcement (#1175). An analysis of the script is placed here.. Additional sources began covering this in January 2021, and a lot more picked it up after February Fourth for some bizarre reason that probably has nothing to do with the removal by Google.

Edit log

Edit 01: (2020-11-06) add details from this discussion Edit 02: (2020-11-06) Update to reflect the newly discovered evidence for malice Edit 03: (2020-12-06) Note technique to continue using TGS Edit 04: (2021-01-03) Add "Urgent" to title (and WOW did people start noticing) (thanks twitter) Edit 05: (2021-01-05) Note @thibaudcolas and his analysis. Edit 06: (2021-01-08) Note @thibaudcolas's second analysis, clarify and copyedit throughout, and start adding dates to edits Edit 07: (2021-01-08) Remind about the process of removing the extension, and note a bit more about maintainer Edit 08: (2021-01-08) Last one for today, promise: Reformat edit list and other minor changes throughout, Edit 09: (2021-02-04) Note removal from store Edit 10: (2021-02-04) Fix bold Edit 11: (2021-02-04) Add help for those worried about losing tabs in nice big bold letters Edit 12: (2021-02-04) Add details about password security Edit 13: (2021-02-04) Clarify compromise, beautify edit log Edit 14: (2021-02-04) Obscure the fact that I made my first edits 9 months in the future (fix edit years) Edit 15: (2021-02-05) Clarify probably breaches: regret decision to keep obsessive edit log Edit 16: (2021-02-09) Realize that issue still contained the false implication that users were safe after November.

[nfultz]

Side rant: I wish Google permitted third party repositories (aside from GPO)... As much stuff as I've found validating published extensions, the chrome store can't be much better than nothing...

The Chrome Extension Store is chronically under-staffed, can often take several weeks to get a review. After they turn off payment processing at the end of the month, basically admitting they will never make money on it, I hope they open it up to community peer review instead. And to be fair, addons.mozilla.org is not really any better.

[figadore]

For anyone looking for an alternative (and who isn't completely anti Microsoft), MS Edge is actually chromium based, and has this feature built in, it's called "sleeping tabs", and is available in Edge 88 (currently beta channel I believe). You can also now install all your other favorite extensions because they allow installing from the Chrome Web store

[0xdevalias]

RE: https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-766141562 some more details on 'tab sleeping'/'tab freezing':

https://www.tenforums.com/tutorials/165231-how-enable-disable-sleeping-tabs-microsoft-edge-chromium.html

Sleeping tabs builds upon the core of Chromium’s “freezing” technology. Freezing pauses a tab’s script timers to minimize resource usage. A sleeping tab resumes automatically when clicked, which is different than discarded tabs, which require the page to fully be reloaded.

Microsoft built upon the freezing technology to create sleeping tabs. This feature allows inactive background tabs to “go to sleep,” releasing system resources after a set amount of time. These resources include both memory and CPU and can be used for new or existing tabs or other applications running on your device.

By default, Microsoft set tabs to go to sleep after two hours of inactivity. If two hours isn’t right for you, you can choose a different time interval. Tabs that are asleep will fade to let you know they’ve released resources. To resume a sleeping tab, click on it like a normal tab. The tab will un-fade and your content will be there immediately. You can also add sites you never want to sleep to a block list in Settings.

https://www.zdnet.com/article/microsoft-heres-how-edges-new-sleeping-tabs-will-save-your-laptop-battery-life/

In Chrome, tab freezing works by unloading all tabs that have been inactive for more than five minutes. This frees up CPU and RAM system resources for other tabs or other locally-running apps.

Users will be able to see if a tab is asleep because the tab will be faded. In Edge, the default is for tabs to go to sleep after two hours of inactivity but users can set a different time and set sites they never want to go to sleep in edge://settings/system.

The feature is coming soon to the Canary and Dev Channels [87.0.649.0]. Before rolling it out to Stable channel, Microsoft is looking for feedback.

https://www.howtogeek.com/444481/how-chromes-tab-freezing-will-save-cpu-and-battery/

Google is working on a new “Tab Freeze” feature for Chrome, which will pause (freeze) tabs you’re not using. That means lower CPU usage, a faster browser, and longer battery life on a laptop or convertible.

Tab freezing is different from tab discarding. When a tab is frozen, its contents stay in your system’s memory. However, the tab’s contents will be “frozen.” The web page in the tab won’t be able to use CPU or perform actions in the background. For example, let’s say you have a heavy web page open in a tab somewhere, and it’s continually running scripts. After a while, Chrome will automatically “freeze” it and stop it from performing actions until you interact with it again.

Tab Freezing is an experimental feature. It’s built into current stable versions of Chrome 77, but can only be initiated manually. In Chrome Canary builds of the upcoming Chrome 79, Chrome will be able to automatically freeze tabs just like it can automatically discard them.

In Chrome Canary, several options are available for tab freezing if you head to chrome://flags and search for “Tab Freeze.” With this option enabled, Chrome will automatically freeze “eligible” tabs after they’ve been in the background for five minutes. Depending on which option you choose, Chrome can either leave them frozen or unfreeze them for ten seconds every fifteen minutes—just enough time to sync with a server or get a bit of work done if they need it. Google is clearly testing which option is best.

The current stable version of Chrome lets you play with both features if you want to know how they work. Just type chrome://discards in Chrome’s Omnibox and press Enter.

You’ll see a diagnostic page with a list of your open tabs and whether they can be frozen or discarded. On the right side of the page, you’ll see action links to “Freeze” and “Discard” each tab.

https://www.zdnet.com/article/chrome-79-released-with-tab-freezing-back-forward-caching-and-loads-of-security-features/

[soberich]

For everyone lazy, can anyone in the discussion tell in short - is the latest version of this extension NOW, at the time of writing, IS of any concern to security or privacy (please, don't say something like "there is no software without privacy issues nowadays") or IS NOT? Edge seems to keep it on their add-ons site just fine https://microsoftedge.microsoft.com/addons/detail/the-great-suspender/engadpfihlijamplpleppgjofcmemdfe

[S10MC2015]

For everyone lazy, can anyone in the discussion tell in short - is the latest version of this extension NOW, at the time of writing, IS of any concern to security or privacy (please, don't say something like "there is no software without privacy issues nowadays") or IS NOT? Edge seems to keep it on their add-ons site just fine https://microsoftedge.microsoft.com/addons/detail/the-great-suspender/engadpfihlijamplpleppgjofcmemdfe

1) you sound a bit annoyed there why? 2) If you are using edge, USE SLEEPING TABS AND NOT TGS. 3) If you are on any other browser, do not use TGS. They seem to have removed the malicious component but they can add it back anytime and it isn't safe. It really isn't safe. Find something else or just nothing.

[nfultz]

Google is testing a native read-later button, which some may want to try out:

https://lifehacker.com/you-can-finally-save-articles-to-read-later-in-chrome-1846145758

[Luckz]

Google is testing a native read-later button, which some may want to try out:

https://lifehacker.com/you-can-finally-save-articles-to-read-later-in-chrome-1846145758

That's still not more than a bookmark, very far from a tab.

[Poopooracoocoo]

While Chrome has great discarding and freezing and Edge builds upon that, neither have TGS's session management features or manual sleeping functionality. Vivaldi has similar manual tab sleeping functionality to TGS. Vivaldi also has sessions but I don't know how well it works. Unfortunately Vivaldi has many issues such as performance, and is missing some features present in Chrome. We discussed a few extensions for session management earlier. Session Buddy is the best non-TGS-based extension IMO.

[minig0d]

FWIW, have been kind of digging into some of the memory issues I've been putting up with (that have really necessitated TGS and they seem to boil down to one of two things, which are both compounded by ad blocking: 1) websites that are excessive on third party resources (ex. when you're on a tech news site or food site and they have a few videos on the page... This is especially true if you're like me and just use a lot of cosmetic rules and not as much dynamic network filtering. And because the elements are hidden, you don't even realize they are actually on that site. Being cognizant of that, it was easy to look in the chrome task manager and find all the tabs that had subframes (iframes) and add network blocking filters on them. 2) Sites that have poorly coded(?) service-workers/XHR requests, that basically "flip out" (bad memory leaks) when you block them from being able to phone home (haven't dug TOO far in, but from what I've seen) seems like a lot of the time, blocking the spying/logging blocks the cleanup functions that occur after the phone home occurs, so they just expand in size forever. Obviously it's a bit much to figure out on every site, but played around with injecting JS to nullify their logging functions and that has definitely tamed down memory usage on certain sites (like FB for example). A combination of blocking service workers altogether (which seem like on the vast majority of sites are just used for logging) + ensuring logging functions are killed has SIGNIFICANTLY cut my memory usage in chrome. (

(Also if you use multiple profiles in chrome, enabling the "Destroy Profile on browser close" flag saves even more (and Tab Groups Collapse Freezing helps).

Sorry I know the above is probably a bit much for typical end users to do anything with, but it may help some tinkerers...

After figuring those couple things out... memory usage is about cut in half, with

[Luckz]

While Chrome has great discarding and freezing and Edge builds upon that, neither have TGS's session management features or manual sleeping functionality. Vivaldi has similar manual tab sleeping functionality to TGS. Vivaldi also has sessions but I don't know how well it works.

Well. Vivaldi is the only modern browser that actually has tab sessions. TGS, Session Buddy and others all just have grouped bookmarks. URLs, not tabs. The only real browser session manager otherwise is Session Manager for Firefox, which you can only use on old tech stacks with support for Firefox's ancestral addon system: Pale Moon or Waterfox. Last I tried Github didn't work nicely (which might or might not be fixable with a user agent override). The UI for this in Vivaldi pales (no pun intended) in comparison to Session Manager, and you can't have auto-saving window sessions or other advanced setups (which might not always work on Firefox either), but it DOES persist all sorts of window-specific options: "windowType":"normal","visibleUI":{"bookmarksBar":true,"addressBar":true,"panelToggle":false,"tabs":true,"statusBar":"on" As well as site thumbnails, and the other features of real tab persistence: after you restore the session, back & forward history for the tab as well as scroll positions for the past and previous tabs are all there.

Unfortunately Vivaldi has many issues such as performance, and is missing some features present in Chrome.

It also has features Chrome doesn't have, like being able to style the UI. I for example made discarded tabs present differently, in both of the available vertical tab implementations. ^ Greyed out being discarded, italics being not clicked yet or notification. As you can see there's also grouped/stacked tabs (instead of full tab trees); I don't like the UI for those.

I'm not sure how atrocious performance is these days (I believe I mostly had issues with responsivity in the past, and haven't used it much in a long time).

[Poopooracoocoo]

@Luckz Yeah I've had to change my workflow so that I open new tabs instead of continuing from the current tab. It's not that bad of change. I've been using windows and virtual desktops more since then too.

[joepie91]

@Luckz I believe that Simple Tab Groups for Firefox also supports tab unloading (and it works on recent Firefox).

[carpben]

Maybe we can fork The Great Suspender and take it's place in the Chrome web store. There had been cases in which a fork had practically replaced the original project that had become dysfunctional.

A similar name, something like "The private Great Suspender" can serve this purpose on the Chrome store.

[TheCleric]

@carpben that already exists and was linked above: https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa

[devxan]

I just got a notice saying that The Great Suspender has malware by Google Chrome itself.

I am going to use The Marvellous Suspender from the Chrome Web Store and see if that fork is safe.

[nachoal]

Same for me, I got a malware notification for the great suspender, what is going on?

[chrismin13]

Here goes another round...

It's a shame, but I guess also a good reminder that just because something claims it's using the Open Source code doesn't mean that the binary will be based on that.

[crisflashin]

Same here. im going to install a new alternative. What do you recommend, guys? The Marvellous Suspender?

[carpben]

The Great Suspender was removed from the Chrome Web Store

[chrismin13]

Chrome extensions page now 404s:

https://chrome.google.com/webstore/detail/the-great-suspender/klbibkeccnjlkjkiokjodocebajanakg?hl=en

[danilaml]

@TheCleric how is better? It has some unrelated site as a source and 0 review. It could contain even more malicious code for all we know.

It's going to suck to unsuspend all the tabs now, though.

[nikhiljainlive]

I got a malware notification so I jumped straight in here. Any suggestions for a better alternative and the same experience?

[senorsmile]

I've tried a bunch of alternatives. The marvelous suspender is still the only thing that solves me needs.

On Thu, Feb 4, 2021 at 10:07 AM crisflashin notifications@github.com wrote:

Same here. Goin gto install a new alternative. What do you recommend, guys? The Marvellous Suspender?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-773502263, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAULCYPCMX3M4MATLKAZFKLS5LO5HANCNFSM4TI37TGQ .

[NotMoni]

Any alternatives people?

[KyLeggiero]

Gonna start using The Marvellous Suspender _(source) until and unless this whole thing is settled.

Seems this keeps happening to my browser extensions. 🙄

[Luc45]

[speeddragon]

Took Google too long to flag this as Malware.

[diomidov]

How do I recover all of my suspended tabs?

[Maximus-42]

I need some help. The extension was forced off by Chrome and I lost all of my tabs. I'm perfectly okay with removing the extension but I want to enable the extension long enough to unsuspend my tabs. How can I recover them? I am at a total loss here.

[chiumax]

rip

[carpben]

KODUS to al those in the community who were alert to the suspicious actions by the new owner! And who reported it here (@TheMageKing and others). 👏 Hopefully we can return this repository to the community, or move this great community to a different repository.

[alkalox]

@Maximus-42 Had the same issue. Go to your history and the suspended tabs should be there. They wouldn't load, but from the URL you can figure out what the suspended tabs were about.

Those who use The Marvellous Suspender, please let us know how your experience goes with it.

[Maximus-42]

@alkalox Where in my history? I don't see suspended tabs there. They have shown up before, just not now

[stoiven]

oof.. I actually don't know what tabs I had suspended now :(

[nikhiljainlive]

I have started using The Marvellous Suspender, the experience is good for me as of now. can give a try.

[exurd]

Is this as serious as Nano Adblocker and Defender? A bit worried that this could've happened again.

[ajunkins]

I lost my suspended tabs too. The original post says that the urls can be "extracted from the extension query's". Anyone know how to do that?

[pynner]

@Maximus-42 @ajunkins the actual URL of the site is in the suspended URL, just go to the very end, it's after uri=, copy it out

[madepolli]

I just pressed back on my suspended tabs, it worked ok.

[daniandl]

looks like everyone just got the notification from chrome

[mixeden]

yep, pretty everyone

[csoto09]

@Maximus-42 @ajunkins the actual URL of the site is in the suspended URL, just go to the very end it's after uri=, copy it out

Can confirm this works.

[diomidov]

@Maximus-42 @ajunkins the actual URL of the site is in the suspended URL, just go to the very end it's after uri=, copy it out

But where do I find the suspended URLs? All of my suspended tabs got closed and they are not in "recently closed".

[alkalox]

@Maximus-42 You might have to scroll down to find it. The URL for suspended tabs should be something like chrome-extension://, as another comment said, the website URL of the suspended tab is after uri=

[ajunkins]

@Maximus-42 @ajunkins the actual URL of the site is in the suspended URL, just go to the very end, it's after uri=, copy it out

The tabs disappear the minute you remove the extension. Is there a way to get them back

[Maximus-42]

@diomidov Mine seemed to be in yesterday's history, a few scrolls down.

[JJCUBER]

How do we extract all previously saved links (not open ones)?

[calumapplepie]

Updated top post, please see #526 for URL recovery help

[lukepereira]

You can recover the tabs by navigating to your history (chrome://history) and searching for the extension prefix URLs: "chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/suspended.html

chrome://history/?q=chrome-extension%3A//klbibkeccnjlkjkiokjodocebajanakg/suspended.html

[justingolden21]

Also got the notification this was malware and removed from chrome, store page is 404, found some posts on reddit and articles, one linked to this conversation.

Marvellous Suspender seems like a fork from great suspender without tracking, I'll wait a few days before adding it though, but it's probably fine:

https://github.com/gioxx/MarvellousSuspender

(has 20 stars at time of writing on github, we'll see how fast that shoots up by tomorrow lol)