Malware?

[alesim21]

I just got the message from chrome that the extension contains malware, can you tell me if it is actually not safe?

[proxycase]

Same here, looks like it's been removed from the chrome store as well

[proxycase]

https://github.com/greatsuspender/thegreatsuspender/issues/1263

[Nevexo]

Chrome store pulled it, so now all Chrome/Edge users are being notified.

[arkyaC]

I lost a large number of tabs I'd kept suspended, any way I can recover them?

[Nevexo]

@arkyaC see #1263 for URL recovery help

[Cystax]

Yeah, though using it from HERE should be fine.

[Nevexo]

Should be safe if you build it from the GitHub release, or if you're in Edge, just enable sleeping tabs.

[alesim21]

Ho appena ricevuto il messaggio da Chrome che l'estensione contiene malware, puoi dirmi se in realtà non è sicuro?

The problem for me is password and data theft, I own a website and if this extension is really harmful to me it would be a BIG PROBLEM

[alesim21]

Dovrebbe essere sicuro se lo crei dalla versione GitHub o se sei in Edge, abilita semplicemente le schede dormienti.

Ho scaricato l'estensione dal Chrome Web Store

[AlexDev404]

I know right?? What the hell is going on?

[AlexDev404]

The extension was suddenly disabled and completely wiped from the Chrome Web Store

[u100009]

I've been using the extension for a long time now and I don't believe there is anything harmful in the code.. The problem comes for the change of ownership of the code (see more here : https://www.theregister.com/2021/01/07/great_suspender_malware/ )

[mike9k1]

The extension was suddenly disabled and completely wiped from the Chrome Web Store

There were changes made back in June by @deanoemcke who was covering his tracks, enabling new vulnerabilities through the extension. He has since been outed as he sold the software to a malicious hacking group who's been using the extension to push tracking software.

[mike9k1]

I called @deanoemcke out on this and he sicked his goons on me. "Well if you don't like it, don't use it" -- great

[u100009]

The big question is: how can we get the old (still known as good) version 7.1.6 installed instead of the 7.1.9 which is flagged 'harmful' now by Chrome ?

[mike9k1]

In https://github.com/greatsuspender/thegreatsuspender/issues/1147 I sounded the alarm on this and was IGNORED

[scarrrr316]

omgggggggggggggggggggggggg,all my tabs dissapear!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!fkkkkkk

[prgTW]

@scarrrr316 https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-773514532

[scarrrr316]

i downloaded the release ,verson 7.1.6 ,can use but all my tabs disappeared

[scarrrr316]

@scarrrr316 #1263 (comment)

ohhhhhhhhhhhhhhhhhhhhhh thxxxxxxxxxxxxxxxxxx i found most of the tabs in session buddy(saved 2 days ago , and i can find others tabs from the link you sent ,thxxxxxxxxxx

[prgTW]

@scarrrr316 You can

1. install https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa
2. search Your history https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-773514532
3. change klbibkeccnjlkjkiokjodocebajanakg to noogafoofpebimajpfpamcfhoaifemoa in all tab URLs to ~use~ switch to the new extension

[AlexDev404]

hahaha the Marvelous Suspender lol

[scarrrr316]

i installed TGS v7.1.6

[scarrrr316]

How to recover lost tabs with The Great Suspender
The extension comes with its own tab history management UI to help users recover from lost tabs. Go to the extension options page (from 'settings' in the popup or 'options' when right-clicking on the extension). Then in the settings sidebar click on 'Session management'. This will show you your most recent tab sessions. You can click on each session to see more detail on the individual windows and tabs it contains.

To reload a session, simply click the 'reload' link. This will reload all windows and tabs in an 'unsuspended' state. If your session contains a very large number of tabs, then you might instead want to click 'resuspend' which will be much faster as it reloads the tabs in a suspended state.

If for some reason the missing tabs are not in your recent sessions, then please follow the guide below for recovering lost tabs without using The Great Suspender.

If you have access to system backups, you may be able to restore old 'recent sessions' from these backups. The recent sessions are stored in an IndexedDB database at Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.blob/ and Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.leveldb/

do you guys know where are

Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.blob/ and Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.leveldb/

[DefinitelyNotFred]

Simply clicking the back button on pages that were suspended brought them back for me.

[AlexDev404]

Screw this new owner. Why would they do such stuff.

[mike9k1]

Screw this new owner. Why would they do such stuff.

@deanoemcke and others have been integrating a closed-source library that tracks user information going all the way back to May of last year -- https://github.com/greatsuspender/thegreatsuspender/issues/1147

I am hearing rumblings that the developer is being paid by a third party to integrate a closed-source library that tracks user data in the latest release, hence the intrusive "UPDATE NOW" push. I'll be removing this extension post-haste.

[greenking13]

So just to check, the alternative options of this is to either roll back to a version something last year or to migrate over to a fork of this called The Marvelous Suspender which is barely known? Man, this sucks since this was an amazing extension for me and my hoarder behavior.

[AlexDev404]

So are you basically saying that everytime I update data gets pushed to a third party?

[u100009]

There a forked branch version 7.1.10 of TGS here : https://github.com/aciidic/thegreatsuspender-notrack with no tracking enabled.. I just downloaded and installed it.. happy camper again.

PS: this is the beauty of GitHub source code.. everyone can contribute to its own version and get it reviewed by peers.

[alesim21]

Ma quindi è una estensione dannosa o no?

[mike9k1]

PS: this is the beauty of GitHub source code.. everyone can contribute to its own version and get it reviewed by peers.

Except here's the problem -- most people like the "comfort" of knowing that something is open source, but very few actually look at the code.

So when a closed-source library slips under the radar, not many people will acknowledge it and the developer can outright deny it...the few people who do become aware can just be shouted down by the many users who simply don't care. That's exactly what happened here.

People need to be more vigilant about their "open source" software -- this isn't an isolated incident. I'm a HUGE advocate for OSS, but OSS only works when users get involved and are willing to do a little research.

[scarrrr316]

https://github.com/greatsuspender/thegreatsuspender/issues/1304#issuecomment-773534043 this method worked perfectly !!!!!!! i export all my tabs through this method !!! try it

[krisfremen]

This is horrible...

If the last tag that's free of malware is good and vetted, I'd be willing to do a fork and maintain that.

[AlexDev404]

There a forked branch version 7.1.10 of TGS here : https://github.com/aciidic/thegreatsuspender-notrack with no tracking enabled.. I just downloaded and installed it.. happy camper again.

PS: this is the beauty of GitHub source code.. everyone can contribute to its own version and get it reviewed by peers.

#1307 (comment)

This works really well. Although I did have to fiddle around with the registry and create some keys to allow the packed extension to work.

Registry Settings Options

Chromium Policy List (ExtensionInstallWhiteList)

[sachiotomita]

How I recovered possible last session:

Point: Chrome seems let user enable All extensions (even Malicious extension) when launching. ( so you can reuse "removed/blocked" extension again, for a few minutes

• you may have history of closed tabs, or on Session Buddy (Ctr+Shift+T) with "suspended" tabs.
• relaunch Chrome(to enable removed extension TGS), and then unsuspend all tabs (it may cause clash if so many tabs, or just kill process with Ctr+Shit+Esc, etc. after confirming all got 'unsuspended'
• then my hundreds tabs got unsuspended. so install another alternative below and suspend again :)

reference https://github.com/greatsuspender/thegreatsuspender/issues/1304#issuecomment-773534043

alternative: https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa

or manual install https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6

in case, Session Buddy ( for future? https://chrome.google.com/webstore/detail/session-buddy/edacconmaakjimmfgnblocblbcdcpbko?hl=en

to see URL of suspended tab https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-773538665

[ghost]

I've been using the extension for a long time now and I don't believe there is anything harmful in the code.. The problem comes for the change of ownership of the code (see more here : https://www.theregister.com/2021/01/07/great_suspender_malware/ )

Look stop i can see what youre doing, it shows that the extension contains malware, and even google chrome is notifying users which I believe wouldn't show if it was safe.

[AlexDev404]

This is horrible...

If the last tag that's free of malware is good and vetted, I'd be willing to do a fork and maintain that.

@krisfremen Try this here: https://github.com/aciidic/thegreatsuspender-notrack

[AlexDev404]

You know maybe somebody else that is willing can probably try taking on this project by forking this repo and create a rebranded version of TGS with additional features and probably remove any malicious code too.

[IanWorthington]

I've tried installing both the 7.1.6 version here as well as the 7.1.10 version from aciidic and neither seems able to restore my tabs, though both list them in the session manager.

Is the fact that my tabs start klbibkeccnjlkjkiokjodocebajanakg and the github versions seem to use different ids significant?

[AlexDev404]

@IanEdington Yes. You will first have to export your session files with the method @sachiotomita described, install the extension from aciidic, then import that session.

Alternatively, you can also change the extension://extension-id URI with the extension ID of the modified TGS's extension ID since you've already installed the modified version.

[IanWorthington]

@IanEdington Yes. You will first have to export your session files with the method @sachiotomita described, install the extension from aciidic, then import that session.

Alternatively, you can also change the extension://extension-id URI with the extension ID of the modified TGS's extension ID since you've already installed the modified version.

Many thanks, I think that's working now. For anyone else who has trouble following the instructions, this is what you need to do:

1. Download the source zip from accidic and unzip it
2. Follow the instructions on the release page to modify manifext.json
3. In Chrome enable Developer Mode
4. Load Unpacked and point to the directory you unzipped
5. In the settings which opens up, so to session manager, find the recent session containing your tabs, and export it
6. Edit the exported file to change the ID on the tabs to the ID shown in the Session Manager address bar
7. Back at Session Manager, Import Session and point to your modified file
8. Open and Load

[stanlrt]

It IS malware.

[TomasHurtz]

Holy crap - class action @ google. I am envisaging hundreds of thousands of passwords stolen via this app.

We have to thank @TheMageKing for his original red flag... https://github.com/greatsuspender/thegreatsuspender/issues/1263#issue-735408387

[chumbawumba]

Since the last few releases weren't comitted to github, has anyone done any code analysis of what the last release was actually doing?

[AlexDev404]

Shoots! I literally uninstalled the extension as soon as it reported malware! Aghh!

[AlexDev404]

G'Day to all. I have successfully retrieved the extension from Google CDN. It seems as though they haven't deleted the files as yet.

Retrieved from: https://www.crx4chrome.com/crx/1543/

You could also get the zip file I uploaded with the CRX file down here:

extension_7_1_9_0.zip

[pressRtowin]

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such.

I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it.

One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . .

Originally I didn't suspect TGS, but after the news just came out about Google actively removing it for containing malware (This article even suggests "The Great Suspender added an exploit that could be used to run almost any kind of code on your computer without your knowledge"), I immediately became suspicious.

EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google.

Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now . . .

EDIT 2: I've rebooted and it appears TGS is gone . . .

EDIT 3: I highly suggest anyone who's had TGS search their %temp% for a Teamviewer directory. I also had two executables in %temp% directly that appeared to be Teamviewer installers. They had the TV icon but the two executables were named short, seemingly random strings of characters.

[ghost]

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such.

I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it.

One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . .

EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google.

Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now...

@pressRtowin Thats very worrying.

[S10MC2015]

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such.

I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it.

One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . .

Originally I didn't suspect TGS, but after the news just came out about Google actively removing it for containing malware (This article even suggests "The Great Suspender added an exploit that could be used to run almost any kind of code on your computer without your knowledge"), I immediately became suspicious.

EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google.

Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now . . .

EDIT 2: I've rebooted and it appears TGS is gone . . .

EDIT 3: I highly suggest anyone who's had TGS search their %temp% for a Teamviewer directory. I also had two executables in %temp% directly that appeared to be Teamviewer installers. They had the TV icon but the two executables were named short, seemingly random strings of characters.

This will not be possible without someone having a chrome 0day to be able to do full rce and download an application and escalate and run it. They could have tamped with an exe you download and add the malicious TeamViewer to it though.