greatsuspender / thegreatsuspender

A chrome extension for suspending all tabs to free up memory
https://chrome.google.com/webstore/detail/the-great-suspender/klbibkeccnjlkjkiokjodocebajanakg/
GNU General Public License v2.0
5.04k stars 905 forks source link

Malware? #1307

Open alesim21 opened 3 years ago

alesim21 commented 3 years ago

I just got the message from chrome that the extension contains malware, can you tell me if it is actually not safe?

proxycase commented 3 years ago

Same here, looks like it's been removed from the chrome store as well

proxycase commented 3 years ago

https://github.com/greatsuspender/thegreatsuspender/issues/1263

Nevexo commented 3 years ago

Chrome store pulled it, so now all Chrome/Edge users are being notified.

arkyaC commented 3 years ago

I lost a large number of tabs I'd kept suspended, any way I can recover them?

Nevexo commented 3 years ago

@arkyaC see #1263 for URL recovery help

Cystax commented 3 years ago

Yeah, though using it from HERE should be fine.

Nevexo commented 3 years ago

Should be safe if you build it from the GitHub release, or if you're in Edge, just enable sleeping tabs.

alesim21 commented 3 years ago

Ho appena ricevuto il messaggio da Chrome che l'estensione contiene malware, puoi dirmi se in realtà non è sicuro?

The problem for me is password and data theft, I own a website and if this extension is really harmful to me it would be a BIG PROBLEM

alesim21 commented 3 years ago

Dovrebbe essere sicuro se lo crei dalla versione GitHub o se sei in Edge, abilita semplicemente le schede dormienti.

Ho scaricato l'estensione dal Chrome Web Store

AlexDev404 commented 3 years ago

I know right?? What the hell is going on?

AlexDev404 commented 3 years ago

The extension was suddenly disabled and completely wiped from the Chrome Web Store

u100009 commented 3 years ago

I've been using the extension for a long time now and I don't believe there is anything harmful in the code.. The problem comes for the change of ownership of the code (see more here : https://www.theregister.com/2021/01/07/great_suspender_malware/ )

mike9k1 commented 3 years ago

The extension was suddenly disabled and completely wiped from the Chrome Web Store

There were changes made back in June by @deanoemcke who was covering his tracks, enabling new vulnerabilities through the extension. He has since been outed as he sold the software to a malicious hacking group who's been using the extension to push tracking software.

mike9k1 commented 3 years ago

I called @deanoemcke out on this and he sicked his goons on me. "Well if you don't like it, don't use it" -- great

u100009 commented 3 years ago

The big question is: how can we get the old (still known as good) version 7.1.6 installed instead of the 7.1.9 which is flagged 'harmful' now by Chrome ?

mike9k1 commented 3 years ago

In https://github.com/greatsuspender/thegreatsuspender/issues/1147 I sounded the alarm on this and was IGNORED

scarrrr316 commented 3 years ago

omgggggggggggggggggggggggg,all my tabs dissapear!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!fkkkkkk

prgTW commented 3 years ago

@scarrrr316 https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-773514532

scarrrr316 commented 3 years ago

i downloaded the release ,verson 7.1.6 ,can use but all my tabs disappeared

scarrrr316 commented 3 years ago

@scarrrr316 #1263 (comment)

ohhhhhhhhhhhhhhhhhhhhhh thxxxxxxxxxxxxxxxxxx i found most of the tabs in session buddy(saved 2 days ago , and i can find others tabs from the link you sent ,thxxxxxxxxxx

prgTW commented 3 years ago

@scarrrr316 You can

  1. install https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa
  2. search Your history https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-773514532
  3. change klbibkeccnjlkjkiokjodocebajanakg to noogafoofpebimajpfpamcfhoaifemoa in all tab URLs to ~use~ switch to the new extension
AlexDev404 commented 3 years ago

hahaha the Marvelous Suspender lol

scarrrr316 commented 3 years ago

i installed TGS v7.1.6

scarrrr316 commented 3 years ago
How to recover lost tabs with The Great Suspender
The extension comes with its own tab history management UI to help users recover from lost tabs. Go to the extension options page (from 'settings' in the popup or 'options' when right-clicking on the extension). Then in the settings sidebar click on 'Session management'. This will show you your most recent tab sessions. You can click on each session to see more detail on the individual windows and tabs it contains.

To reload a session, simply click the 'reload' link. This will reload all windows and tabs in an 'unsuspended' state. If your session contains a very large number of tabs, then you might instead want to click 'resuspend' which will be much faster as it reloads the tabs in a suspended state.

If for some reason the missing tabs are not in your recent sessions, then please follow the guide below for recovering lost tabs without using The Great Suspender.

If you have access to system backups, you may be able to restore old 'recent sessions' from these backups. The recent sessions are stored in an IndexedDB database at Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.blob/ and Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.leveldb/

do you guys know where are

Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.blob/ and Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.leveldb/
DefinitelyNotFred commented 3 years ago

Simply clicking the back button on pages that were suspended brought them back for me.

AlexDev404 commented 3 years ago

Screw this new owner. Why would they do such stuff.

mike9k1 commented 3 years ago

Screw this new owner. Why would they do such stuff.

@deanoemcke and others have been integrating a closed-source library that tracks user information going all the way back to May of last year -- https://github.com/greatsuspender/thegreatsuspender/issues/1147

I am hearing rumblings that the developer is being paid by a third party to integrate a closed-source library that tracks user data in the latest release, hence the intrusive "UPDATE NOW" push. I'll be removing this extension post-haste.

greenking13 commented 3 years ago

So just to check, the alternative options of this is to either roll back to a version something last year or to migrate over to a fork of this called The Marvelous Suspender which is barely known? Man, this sucks since this was an amazing extension for me and my hoarder behavior.

AlexDev404 commented 3 years ago

So are you basically saying that everytime I update data gets pushed to a third party?

u100009 commented 3 years ago

There a forked branch version 7.1.10 of TGS here : https://github.com/aciidic/thegreatsuspender-notrack with no tracking enabled.. I just downloaded and installed it.. happy camper again.

PS: this is the beauty of GitHub source code.. everyone can contribute to its own version and get it reviewed by peers.

alesim21 commented 3 years ago

Ma quindi è una estensione dannosa o no?

mike9k1 commented 3 years ago

PS: this is the beauty of GitHub source code.. everyone can contribute to its own version and get it reviewed by peers.

Except here's the problem -- most people like the "comfort" of knowing that something is open source, but very few actually look at the code.

So when a closed-source library slips under the radar, not many people will acknowledge it and the developer can outright deny it...the few people who do become aware can just be shouted down by the many users who simply don't care. That's exactly what happened here.

People need to be more vigilant about their "open source" software -- this isn't an isolated incident. I'm a HUGE advocate for OSS, but OSS only works when users get involved and are willing to do a little research.

scarrrr316 commented 3 years ago

https://github.com/greatsuspender/thegreatsuspender/issues/1304#issuecomment-773534043 this method worked perfectly !!!!!!! i export all my tabs through this method !!! try it

krisfremen commented 3 years ago

This is horrible...

If the last tag that's free of malware is good and vetted, I'd be willing to do a fork and maintain that.

AlexDev404 commented 3 years ago

There a forked branch version 7.1.10 of TGS here : https://github.com/aciidic/thegreatsuspender-notrack with no tracking enabled.. I just downloaded and installed it.. happy camper again.

PS: this is the beauty of GitHub source code.. everyone can contribute to its own version and get it reviewed by peers.

#1307 (comment)

This works really well. Although I did have to fiddle around with the registry and create some keys to allow the packed extension to work.

Registry Settings Options

Chromium Policy List (ExtensionInstallWhiteList)

sachiotomita commented 3 years ago

How I recovered possible last session:

Point: Chrome seems let user enable All extensions (even Malicious extension) when launching. ( so you can reuse "removed/blocked" extension again, for a few minutes

reference https://github.com/greatsuspender/thegreatsuspender/issues/1304#issuecomment-773534043

alternative: https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa

or manual install https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6

in case, Session Buddy ( for future? https://chrome.google.com/webstore/detail/session-buddy/edacconmaakjimmfgnblocblbcdcpbko?hl=en

to see URL of suspended tab https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-773538665

ghost commented 3 years ago

I've been using the extension for a long time now and I don't believe there is anything harmful in the code.. The problem comes for the change of ownership of the code (see more here : https://www.theregister.com/2021/01/07/great_suspender_malware/ )

Look stop i can see what youre doing, it shows that the extension contains malware, and even google chrome is notifying users which I believe wouldn't show if it was safe.

AlexDev404 commented 3 years ago

This is horrible...

If the last tag that's free of malware is good and vetted, I'd be willing to do a fork and maintain that.

@krisfremen Try this here: https://github.com/aciidic/thegreatsuspender-notrack

AlexDev404 commented 3 years ago

You know maybe somebody else that is willing can probably try taking on this project by forking this repo and create a rebranded version of TGS with additional features and probably remove any malicious code too.

IanWorthington commented 3 years ago

I've tried installing both the 7.1.6 version here as well as the 7.1.10 version from aciidic and neither seems able to restore my tabs, though both list them in the session manager.

Is the fact that my tabs start klbibkeccnjlkjkiokjodocebajanakg and the github versions seem to use different ids significant?

AlexDev404 commented 3 years ago

@IanEdington Yes. You will first have to export your session files with the method @sachiotomita described, install the extension from aciidic, then import that session.

Alternatively, you can also change the extension://extension-id URI with the extension ID of the modified TGS's extension ID since you've already installed the modified version.

IanWorthington commented 3 years ago

@IanEdington Yes. You will first have to export your session files with the method @sachiotomita described, install the extension from aciidic, then import that session.

Alternatively, you can also change the extension://extension-id URI with the extension ID of the modified TGS's extension ID since you've already installed the modified version.

Many thanks, I think that's working now. For anyone else who has trouble following the instructions, this is what you need to do:

  1. Download the source zip from accidic and unzip it
  2. Follow the instructions on the release page to modify manifext.json
  3. In Chrome enable Developer Mode
  4. Load Unpacked and point to the directory you unzipped
  5. In the settings which opens up, so to session manager, find the recent session containing your tabs, and export it
  6. Edit the exported file to change the ID on the tabs to the ID shown in the Session Manager address bar
  7. Back at Session Manager, Import Session and point to your modified file
  8. Open and Load
stanlrt commented 3 years ago

It IS malware.

TomasHurtz commented 3 years ago

Holy crap - class action @ google. I am envisaging hundreds of thousands of passwords stolen via this app.

We have to thank @TheMageKing for his original red flag... https://github.com/greatsuspender/thegreatsuspender/issues/1263#issue-735408387

chumbawumba commented 3 years ago

Since the last few releases weren't comitted to github, has anyone done any code analysis of what the last release was actually doing?

AlexDev404 commented 3 years ago

Shoots! I literally uninstalled the extension as soon as it reported malware! Aghh!

AlexDev404 commented 3 years ago

G'Day to all. I have successfully retrieved the extension from Google CDN. It seems as though they haven't deleted the files as yet.

Retrieved from: https://www.crx4chrome.com/crx/1543/

You could also get the zip file I uploaded with the CRX file down here:

extension_7_1_9_0.zip

pressRtowin commented 3 years ago

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such.

I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it.

One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . .

Originally I didn't suspect TGS, but after the news just came out about Google actively removing it for containing malware (This article even suggests "The Great Suspender added an exploit that could be used to run almost any kind of code on your computer without your knowledge"), I immediately became suspicious.

EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google.

Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now . . .

EDIT 2: I've rebooted and it appears TGS is gone . . .

EDIT 3: I highly suggest anyone who's had TGS search their %temp% for a Teamviewer directory. I also had two executables in %temp% directly that appeared to be Teamviewer installers. They had the TV icon but the two executables were named short, seemingly random strings of characters.

ghost commented 3 years ago

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such.

I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it.

One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . .

EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google.

Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now...

@pressRtowin Thats very worrying.

S10MC2015 commented 3 years ago

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such.

I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it.

One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . .

Originally I didn't suspect TGS, but after the news just came out about Google actively removing it for containing malware (This article even suggests "The Great Suspender added an exploit that could be used to run almost any kind of code on your computer without your knowledge"), I immediately became suspicious.

EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google.

Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now . . .

EDIT 2: I've rebooted and it appears TGS is gone . . .

EDIT 3: I highly suggest anyone who's had TGS search their %temp% for a Teamviewer directory. I also had two executables in %temp% directly that appeared to be Teamviewer installers. They had the TV icon but the two executables were named short, seemingly random strings of characters.

This will not be possible without someone having a chrome 0day to be able to do full rce and download an application and escalate and run it. They could have tamped with an exe you download and add the malicious TeamViewer to it though.