search

greatsuspender / thegreatsuspender

A chrome extension for suspending all tabs to free up memory
https://chrome.google.com/webstore/detail/the-great-suspender/klbibkeccnjlkjkiokjodocebajanakg/
GNU General Public License v2.0
5.03k stars 905 forks source link

Should we change all our passwords? #1310

Open ghost opened 3 years ago

ghost commented 3 years ago

So the extension got removed from the store for malware. If the extension really had malware in it, why didn't Google remove it sooner???

mike9k1 commented 3 years ago

@deanoemcke and others have been integrating a closed-source library that tracks user information going all the way back to May of last year -- https://github.com/greatsuspender/thegreatsuspender/issues/1147

I am hearing rumblings that the developer is being paid by a third party to integrate a closed-source library that tracks user data in the latest release, hence the intrusive "UPDATE NOW" push. I'll be removing this extension post-haste.

I tried warning others about this and was harassed. Google didn't know until just recently when several security blogs covered it -- it's been going on for months at this point.

itsaphel commented 3 years ago

Google and other browsers need to seriously reconsider how this could fly under the radar for so many months. What if some of the largest extensions do this, uBlock Origin or some such? It's ridiculous that it took them this long, and when they did finally remove it they nuked it rather than revert to an earlier version.

Some analysis on what kinds of data it was collecting would help. Do we need to change passwords? Was it sending raw data like history and keystrokes to remote servers?

ghost commented 3 years ago

I didn't have anyone try logging into my Google account, so I don't think it's so bad

WarningHPB commented 3 years ago

@deanoemcke and others have been integrating a closed-source library that tracks user information going all the way back to May of last year -- #1147

I am hearing rumblings that the developer is being paid by a third party to integrate a closed-source library that tracks user data in the latest release, hence the intrusive "UPDATE NOW" push. I'll be removing this extension post-haste.

I tried warning others about this and was harassed. Google didn't know until just recently when several security blogs covered it -- it's been going on for months at this point.

Could you stop spamming, its happened now let people figure out what the to do about it FFS

mike9k1 commented 3 years ago

@deanoemcke and others have been integrating a closed-source library that tracks user information going all the way back to May of last year -- #1147

I am hearing rumblings that the developer is being paid by a third party to integrate a closed-source library that tracks user data in the latest release, hence the intrusive "UPDATE NOW" push. I'll be removing this extension post-haste.

I tried warning others about this and was harassed. Google didn't know until just recently when several security blogs covered it -- it's been going on for months at this point.

Could you stop spamming, its happened now let people figure out what the to do about it FFS

Okay, but understand that it goes back quite awhile and so the scope of what might have been exposed is quite large by this point...

mike9k1 commented 3 years ago

I didn't have anyone try logging into my Google account, so I don't think it's so bad

This can happen years down the line. Using the captured data too soon can compromise the source of the data (i.e. people will become suspicious and that can sound off alarms as to where the data came from), ofc they're also not going to hold onto it forever either.

To answer OP: yes, I think you should start rotating your passwords (although this is already considered a good practice to do every few months anyway).

You don't need to change every password at once, but yes, I would start using some kind of password manager (there's tons of them out there, most likely whatever you use has 2FA anyway) and start changing passwords one at a time.

ghost commented 3 years ago

So the extension got removed from the store for malware. If the extension really had malware in it, why didn't Google remove it sooner???

This was down to the subreddit been made aware and reports that it abused google policies.

andrewprofile commented 3 years ago

Should we change all our passwords?

MapleCCC commented 3 years ago

Does Chrome browser allow extension the access to password data stored in the browser? If not, than no need to change passwords, I think. Maybe someone familiar with Chrome extension development knows the answer?

ghost commented 3 years ago

Does Chrome browser allow extension the access to password data stored in the browser? If not, than no need to change passwords, I think. Maybe someone familiar with Chrome extension development knows the answer?

no, in this case changing your password is the best thing to do.

Off topic: even with 2FA on the account there's no guarantee the google account will be protected. Discord users had the accounts stolen even with 2FA enabled.

csis0247 commented 3 years ago

Should we change all our passwords?

  • Yes, in my google account I get an alert about taking over some of my passwords :(

Could you elaborate? Aside from my router's default password, I do not have any compromised password according to Google's "Check passwords" feature.

ghost commented 3 years ago

Should we change all our passwords?

  • Yes, in my google account I get an alert about taking over some of my passwords :(

Could you elaborate? Aside from my router's default password, I do not have any compromised password according to Google's "Check passwords" feature.

It still a good idea to change the passwords.

sflesch commented 3 years ago

Should we change all our passwords?

  • Yes, in my google account I get an alert about taking over some of my passwords :(

Could you elaborate? Aside from my router's default password, I do not have any compromised password according to Google's "Check passwords" feature.

I believe Google is pulling this information from previous breaches. A number of my passwords are being reported by Chrome, but they are from some known breached like those that can be found on haveibeenpwned.

andrewprofile commented 3 years ago

Should we change all our passwords?

  • Yes, in my google account I get an alert about taking over some of my passwords :(

Could you elaborate? Aside from my router's default password, I do not have any compromised password according to Google's "Check passwords" feature.

This is what this mechanism is about, it will be different for each person :)

sarog commented 3 years ago

Does Chrome browser allow extension the access to password data stored in the browser? If not, than no need to change passwords, I think. Maybe someone familiar with Chrome extension development knows the answer?

In a dormant state, extensions can't access Chrome's password storage system without interactive authentication (e.g. asking for a password).

However, the websites you visit and allow Chrome to auto-fill credentials might allow third-party extensions to exfiltrate passwords from web forms using plain JavaScript. Since (by default) we allow TGS full access to every site we visit ("Allow this extension to read and change all your data on websites you visit") then any site you recently auto-filled with the vulnerable version of TGS actively running on your system has potentially captured your credentials.

Since we don't know for sure what has actually been done, that only leaves everyone one option: change your passwords in case. As someone who has over 1,500+ passwords saved into Chrome, looks like my upcoming weekend has already been planned out for me (even if I downgraded to my own copy of TGS 7.1.6 back in November 25th, 2020).

Side note for users who plan on not taking any action and simply relying on Chrome to alert them about leaked passwords: if you actually get this alarm, it means you're probably screwed and most likely too late to do anything about the breach you now have to clean up.

pressRtowin commented 3 years ago

I have no concrete proof that the two are related, but you may find my recent security breach to be of interest. I wrote about it here: https://github.com/greatsuspender/thegreatsuspender/issues/1307#issuecomment-773700055

ghost commented 3 years ago

@deanoemcke and others have been integrating a closed-source library that tracks user information going all the way back to May of last year -- #1147

I am hearing rumblings that the developer is being paid by a third party to integrate a closed-source library that tracks user data in the latest release, hence the intrusive "UPDATE NOW" push. I'll be removing this extension post-haste.

I tried warning others about this and was harassed. Google didn't know until just recently when several security blogs covered it -- it's been going on for months at this point.

@mike9k1 well done for spotting when you did. Sorry to hear you werent taken seriously. Good lessions can be learned the hard way

ossilator commented 3 years ago

@tris543 , actually, it's pure coincidence that he was "right" in retrospect. see my comment on the other issue.

ghost commented 3 years ago

@tris543 , actually, it's pure coincidence that he was "right" in retrospect. see my comment on the other issue.

@ossilator i did read it and understand that tracking was implemented before.

If someone is saying something about a malicious content. I dont think its a joking matter and investigating is always and should be the best course of action.

That investigating has happened way too late and the victim number was 2,000,000+ that was the number of google users that downloaded the extension. I really believe this could had been advoided.

I thank you for the reply.