Hi everyone. I'd like to announce some changes to the administration of The Great Suspender project.

It's been almost 8 years since the first release of The Great Suspender to the Chrome Web Store. I've seen the extension turn from a hobby project to an indispensable chrome add-on, all due to an enthusiastic community of users that promoted the extension on my behalf.

The contribution of both code, and feedback from everyone here on GitHub has been critical to the success of the project. You have helped me detect and resolve bugs, given me ideas for UX improvements and new features, and provided technical assistance when I have found myself struggling with some code. I honestly couldn't have got to this point without you.

However, as the user base for The Great Suspender has continued to grow, so have the commitments in my private life. And I've found I'm increasingly incapable of meeting the demands that this project requires. I've therefore decided to take a step back, and let others lead the development.

I have found a new dedicated owner for The Great Suspender who has the capacity to see the extension actively maintained into the future. The new GitHub administrator for this project will be @greatsuspender. They have also purchased the rights to publish the extension to the Chrome webstore and will be managing the public release process going forwards. Big thanks for taking on this project and continuing its development!

Thanks again for all of your support here on GitHub. You're the best!

Thank you for all your work over the years. Will they also be managing the Great Discarder fork?

Congrats! Can we know who the new owners are? I'd like to make sure it's someone we can continue to trust.

Thanks!

The Great Discarder will remain with me. Although I don't have any capacity to continue the maintenance of that project right now. I may be able to continue merging PRs if they come in.

I do not wish to publish publicly any personal information about the new owner, but the project will remain open source and the code here on GitHub will continue to reflect the code published to the chrome webstore.

when can we expect the new overlord to actually do something? it's been two weeks now and they haven't done anything visible. that's not much of an improvement over the previous state ... :}

Thanks for all the work over the years, Dean!

so i guess we can now officially conclude that the transition was a failure? :(
i'm not at all surprised - you can't really expect someone with no track record in a project to take over a major responsibility as a volunteer. it doesn't matter how enthusiastic they may appear at the outset. that it all happened behind closed doors probably didn't help, either.
@greatsuspender, care to comment?

the question is how to move forward. finding a "worthy" successor within the community still requires prolonged investment from the old maintainer, so as things stand, even a prominent call for help on the web store would not lead to anything. i suppose a possible way forward would be declaring "bankruptcy", seeing if a viable fork emerges, and if so, transferring official ownership to its maintainer.

Would be great to hear more about this. Unfortunately, there has been cases of "mysterious buyers" taking over projects and injecting malware on them (see NanoAdblocker/NanoCore#362). I don't have any reason to believe that the deal here might be in any way problematic like this, but the lack of information is worrisome. For now I am using a local version instead of the one provided by Google store.

ps: thank you for all your work in this project!

After what happened to Nano Adblocker and Defender and an update to The Great Suspender, my stomach is churning. I'm so scared. I don't know what I'm supposed to do. With Nano I just uninstalled them, switched to uBO and kept the filters as it leads to an archived repo. What do I do here????

Hmm, addon updated to 7.1.8 but there's no release for it on github, still showing 7.1.6.

What's the official changelog in the newest update? (besides trying to parse commits)

An an aside, I still hate how Chrome decides to randomly update addons in the background despite being in developer mode. Why even have an 'update extensions' button if it's going to update them regardless?

@DAOWAce

Hmm, addon updated to 7.1.8 but there's no release for it on github, still showing 7.1.6.

Judging by the commits, it maybe was an oversight in publishing both on GitHub and on Google. Looks like he possibly published after overhauling the screenshot code in #1238 and then again after making it possible to disable Google Analytics in #1239

I've been inspecting the code on my browser extension version for any malicious stuff being added between those version discrepancies, I'd advise you to do the same. (Not sure in Chrome, but in Brave I can click inspect on the extension and view its code)

Uninstalled The Great Suspender!
Same annoying behavior like in the last update with the popup in any browser windows and again no changelog...
So I say good bye to TGS and hello to "Auto Tab Discard" on all my devices.
The 3rd Add-On after Nano Defender / Adblocker I uninstalled this week...

Also I fear another bad code injecting, especially like above about the releases.

Anyway... thanks to the old dev.

Oh and if someone decide to switch too:
Make a Backup of your Tab else you will lose your tabs with uninstalling TGS!

The code has been added to gsAnalytics.js and appears to be calling javascript from outside.
The called code was obfuscated and I couldn't understand it...
I'm not an expert, so I don't know any more than this.

gsAnalytics.jsにコードが追加され、外部からjavascriptを呼び出しているように見えます。
呼び出されたコードは難読化されていて、私には分かりませんでした・・・
私は専門家ではないので、これ以上のことはわかりません。

私は英語が分からないので、機械翻訳でごめんなさい。
I don't understand English, so sorry for the machine translation.

What are people using as a replacement for TGS? "Tiny Suspender" is mentioned above. In the absence of a compelling explanation by the new owner of who they are and what they're doing, and an update here consistent with the Play Store, it's only prudent to consider TGS to now be malware.

The code posted in @danupo's comment caught my eye and a quick Google search turned up these Reddit posts:

https://www.reddit.com/r/chrome/comments/ikn38u/malicious_chrome_webstore_extension/
https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/

Similar JS name and paths just with different domain, which wayyy too coincidental:

var owa_baseUrl = 'https://static.trckpath.com/';
_owa.src = owa_baseUrl + 'owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=imkngaibigegepnlckfcbecjoilcjbhf&apikey=cc3ba1f3cad5332422ecafd9dd2aa0ac&v=' + details.version;

var owa_baseUrl = 'https://static.trckingbyte.com/';
var owa_cmds = owa_cmds || [];
owa_cmds.push(['trackPageView']);
var _owa = document.createElement('script');
 _owa.type = 'text/javascript';
 _owa.async = true;
 _owa.src =
   owa_baseUrl +
   'owa/modules/base/js/owa.tracker-combined-latest.minified.js';

Also a more indepth analysis of the minified js: https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/fqd64jx/

Domain lookup:

Name: OWEBANALYTICS.COM
Registry Domain ID: 2566559592_DOMAIN_COM-VRSN
Domain Status:
clientTransferProhibited
Nameservers:
NS1.SITE-DNS.COM
NS2.SITE-DNS.COM
NS3.SITE-DNS.COMDates
Registry Expiration: 2021-10-17 23:49:43 UTC
Created: 2020-10-17 23:49:43 UTC

Freshly registered domain so not to trigger any Google search results eh?

Conclusion: abort abort!

Great work @danupo and @zanglang. I've added the domain to my DNS denylist, because I really don't feel like switching extensions right now. :/

The code posted in @danupo's comment caught my eye and a quick Google search turned up these Reddit posts:

https://www.reddit.com/r/chrome/comments/ikn38u/malicious_chrome_webstore_extension/
https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/

Similar JS name and paths just with different domain, which wayyy too coincidental:

var owa_baseUrl = 'https://static.trckpath.com/';
_owa.src = owa_baseUrl + 'owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=imkngaibigegepnlckfcbecjoilcjbhf&apikey=cc3ba1f3cad5332422ecafd9dd2aa0ac&v=' + details.version;

var owa_baseUrl = 'https://static.trckingbyte.com/';
var owa_cmds = owa_cmds || [];
owa_cmds.push(['trackPageView']);
var _owa = document.createElement('script');
 _owa.type = 'text/javascript';
 _owa.async = true;
 _owa.src =
   owa_baseUrl +
   'owa/modules/base/js/owa.tracker-combined-latest.minified.js';

Also a more indepth analysis of the minified js: https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/fqd64jx/

Conclusion: abort abort!

I knew something was up when a new version of the extension was available, yet the GitHub was not updated. Luckily it never had a chance to update to 7.1.8 (the extension displayed the usual window when an update is available, in which I backed up my suspended tabs, deleted the staged update from the filesystem, modified the manifest file by deleting update_url, and restarted Chrome causing the extension to delete itself and become disabled) and I eventually installed 7.1.6 of the extension from the Releases page.

Good job to both @danupo and @zanglang for discovering this and making this known.

Also, should this be posted on other communities as well (like Chrome subreddit) to spread the word?

Also, should this be posted on other communities as well (like Chrome subreddit) to spread the word?

Yes. I've tweeted about it, if anyone wants to retweet go ahead, can also share anywhere else talking about it there so we can keep people in the know incase the malicious author here deletes this issue. https://twitter.com/joshmanders/status/1321283443825803264

OK, it appears I may have overreacted.

owa.tracker-combined-latest.minified.js is a release artifact from the Open Web Analytics project, which proclaims to be a GA alternative. Example code: https://github.com/Open-Web-Analytics/Open-Web-Analytics/wiki/Tracker

If we DNS lookup the 2 other linked domains, they both have the same DNS SOA record, but it's not the same for owebanalytics.com. Unfortunately it's not possible to gleam any further info for this domain.

$ dig trckingbyte.com SOA +short
a8332f3a.bitcoin-dns.hosting. stela.staniyova.web.de. 2019111501 7200 7200 172800 38400
$ dig trckpath.com SOA +short
a8332f3a.bitcoin-dns.hosting. stela.staniyova.web.de. 2019111501 7200 7200 172800 38400
$ dig owebanalytics.com SOA +short
ns1.openprovider.nl. dns.openprovider.eu. 2020101801 10800 3600 604800 3600

Without actually seeing the actual tracked events that the JS is sending back it's may not be reasonable to conclude that it is malicious (and my JS-fu is not powerful enough). Almost all of our Android/iPhone apps are embedded with similar trackers to help devs track user interaction within the app, so it's up to the maintainer to step up and clarify why it's suddenly injecting a tracker.

As for the coincidence that all 3 sites host the same JS with the same directory paths... it turns out that's just how owa is packaged.

$ tar tvf owa_1.7.0_packaged.tar| less
...
-rw-r--r-- padams/admin  72183 2020-09-16 11:50 ./modules/base/js/owa.tracker-combined-min.js

Pretty suspicious to have published this version without pushing to github. It wreaks to high hell of plans to be very malicious.

They didn't tag anything, but the tracking-opt-out branch seems to be pretty clear. The new dev added tracking, and with it an opt-out.

Let me repeat. There is an opt-out button for the tracking

Now, whether it works is another thing, but I am skeptical that they'd add such a button if they were malicious.

It's a relief that the new dev lets you opt out of the tracking they added. Relief being relative of course; still shit scared lol. They say that it's not just Google Analytics. You guys found out that there's Open Web Analytics. For now I'm continuing to use The Great Suspender. If there's a decent fork or alternative, please let us know!

If you are happy discarding tabs and don't need the whole placeholder infrastructure, there's https://chrome.google.com/webstore/detail/auto-tab-discard/jhnleheckmknfcgijgkadoemagpecfol/ (and equivalents for other browsers) - it has some amazing shortcuts under chrome://extensions/shortcuts too.
Site: https://add0n.com/tab-discard.html
Source: https://github.com/rNeomy/auto-tab-discard

The big question: Is it still safe to continue using TGS?

I'd like to point out the amount of code that has changed since this announcement is not significant. The code that has changed has been very minor or was already a part of this GitHub in another branch. I don't worry that this extension has become unsafe, at least yet. My biggest fear is that there won't be any real future updates and the project will die. That's why I've started learning JavaScript

The big question: Is it still safe to continue using TGS?

I would say no, because:

1. We don't know if the loaded script is malicious or not. Even if the external script is just a valid owa analytics, it is not respecting the opt-out flag (actually, it is respecting the flag), and since it is an external script loaded from an unknown domain it might change at any time.
2. the fact that a new version was published in the store without being published in Github is a giant red flag that can't be ignored.

The silence from the new owner is not good either.

It just wreaks of bad vibes.

Could anyone please tell me, is removing the extension enough to reverse whatever may have been compromised on my machine / browser? Is there any potential that this extension could have used some exploit to drop code elsewhere on my computer, or otherwise cause any problems even if it is removed? Very grateful for any insight! Thank you.

@XxX-Force

Is there any potential that this extension could have used some exploit to drop code elsewhere on my computer, or otherwise cause any problems even if it is removed?

I guess it's possible, but we haven't seen any evidence of that happening.

I

Could anyone please tell me, is removing the extension enough to reverse whatever may have been compromised on my machine / browser? Is there any potential that this extension could have used some exploit to drop code elsewhere on my computer, or otherwise cause any problems even if it is removed?

No. It is possible that the developer is malicious, but it just appears (to me) that they are a poor communicator. The code in github does appear to match, though there isn't a new tag.

Further, the change appears to simply be adding another analytics software: and while it's possible that the hosting URL will start serving malicious code, there is an opt-out from it.

However, chrome fully sandboxes everything, especially it's extensions. Once uninstalled, any damage should be removed. It is possible that a bug exists in that sandboxing, however, finding it would require a major effort (ie, a state actor), and such an actor wouldn't try to deploy their attack so badly.

@greatsuspender, please just reply to this thread and let us know you exist. This change is probably positive, and innocent, but we don't know until you speak to us.

In the meantime, I'll join the people who are trying to crack this thing open, and see if I can spot any issues.

However, chrome fully sandboxes everything, especially it's extensions. Once uninstalled, any damage should be removed. It is possible that a bug exists in that sandboxing, however, finding it would require a major effort (ie, a state actor), and such an actor wouldn't try to deploy their attack so badly.

True, but this extension does run with pretty broad permissions:

Those are probably enough to MITM a website, for example. The bigger risk here is they target your AWS account, not that they break in to your laptop.

I would be more comfortable if it were made more clear how those permissions are used and what they are required for.

No. It is possible that the developer is malicious, but it just appears (to me) that they are a poor communicator. The code in github does appear to match, though there isn't a new tag.

the code doesn't match the code on master (compare https://github.com/greatsuspender/thegreatsuspender/blob/master/src/js/gsAnalytics.js with the changes posted before), and there isn't any other branch with these changes.

However, chrome fully sandboxes everything, especially it's extensions. Once uninstalled, any damage should be removed. It is possible that a bug exists in that sandboxing, however, finding it would require a major effort (ie, a state actor), and such an actor wouldn't try to deploy their attack so badly.

Unless the injected js proceeds to then join a botnet, collect all of your sessions and then use your cookies in impersonation attacks, outside of that sandbox...

I was one of those suckers who missed the news about Nano Defender and neglected to uninstall it asap, and as you can see, am pretty bitter about all this.

I cracked open the extension. The source in github does appear to correspond with the installed extension(as far as I can tell: there are a lot of files built by the github source that don't appear in the copy I found, and the manifest.json differs slightly, but I think that's just an artifact of the different distribution systems).

The changes between the shipped 7.1.6 and 7.1.8 are very minimal. They appear to be some screenshot improvements, and the new tracker. OpenWebAnalyitics seems to be legitimate.

The only real possible issue that I see is that, as @nfultz noted, the extension now requests permission to edit web requests. This is a major concern to me, since it means that if some future version begins preforming MITM attacks, the extension won't need to request addition powers. However, I can find no evidence that it is doing those attacks now, unless OWA is illegitimate.

To be clear: yes, the extension has been modified in a way that is suspicious, by asking for a new, sweeping permission set without using it. However, while it is suspicious, there is no evidence that it is malicious (yet)

@lucasdf I ran a build and diffed them. The only differences between the one I built and the chrome extension that Google shares is that mine included a bunch of additional resources not found in the distributed .crx. Thats pretty fine by me: probably just build junk, or some such. The only thing that the web store version had that I didnt was a _metadata file (almost certainly auto-generated by google), a auto-update line (again, google insert), and the permission for scripts downloaded from OWA's official CDN to run.

EDIT: Cleaned out sentence I wrote before I got the copy from the chrome web store

@zanglang I understand: seems perfectly fair. But the new, remote JS appears legitimate. While the extension is now offically suspicious, the source does still seem to correspond with the distributed version.

Basically, this all hinges on whether or not openwebanalytics is a legitimate site. Given that it has existed since 2009, I am inclined to believe that it is.

@kalpaj12
The big question: Is it still safe to continue using TGS?

It seems that the extension wants permission to edit requests (which it shouldn't need for the purposes we all use the extension for), it added tracking defaulted to opt-in, and it appears the published store versions aren't matching the git versions. IN MY OPINION, any one of these would means NO, IT IS NOT STILL SAFE TO USE. Everyone is, of course, entitled to their own opinion.

I'm removing this extension RIGHT NOW on Firefox and Edge and evaluating alternatives / forks before the new mystery buyer came in.

Thank you all seriously for everyone's information and insight. I'm not a dev, and I'm not even clear on how to correctly use GitHub yet (sorry) .. so this next question might seem stupid.

I see that it looks like TGS was updated in some way around noon ET today. I have no idea what changes were made, if these changes were taken into account by the kind people above who tried to evaluate this situation, or honestly.. if what I'm seeing in this image even reflects that there was an actual change to the code.

As others have said here and elsewhere on the net, the whole Nano disaster has left a lot of people concerned, and more paranoid than usual.

I've already removed the extension. I feel really uncomfortable with what I'm reading about it adding new permissions that it just doesn't need in order to do what we all were using it for, and I don't trust the setting that supposedly "blocks all trackers" in the extension either.

EDIT: Inserting the image directly for visibility. Can anyone disabuse me of my ignorance please and tell me what I'm looking at?
Was there a change made to the extension on the date/time indicated?
Thank you all, again.

@deanoemcke thanks for all your work over the years, many people including me love this extension!

Something that really caught my eye in your original post is the following quote:

They have also purchased the rights to publish the extension to the Chrome webstore and will be managing the public release process going forwards

Do you mean that they paid money for the right to publish the extension?
If this is the case, it's very suspicious. This smells like the Nano Defender debacle.

As a maintainer of an open source browser extension, I frequently get purchase offers, even though my extension has far less users than TGS (200x less!). However, I always decline them on the spot because I'm pretty sure these companies want to use the extension to do user hostile things (and even if not, I have no way to ensure they won't do it). Even if you ignore any moral considerations, my reputation is much more important to me than the money they offer.

You did right by giving an heads up about the ownership transfer. However, do note that the vast majority of users will never see this, which leaves them fully exposed.

After this much feedback with no comment from the new owner, this seems like obvious malware. I went into the Chrome Store and tagged it for review, and suggest others do the same. Unfortunate.

@deanoemcke, you okay, mate? If you're currently the captive of a lizardman paramilitary group seeking to undermine the 2 million chrome users of your extension, blink twice.

Serriously, though, is every thing all right? I just saw that your personal email was listed, and so I assume a lot of people have been emailing you. But you aren't listed anywhere on the web, for anything recent. Springload.co.nz recently dropped you from their staff listing (ie, the past month), and... that's it for things with your name updated in the past month.

@deanoemcke, you okay, mate? If you're currently the captive of a lizardman paramilitary group seeking to undermine the 2 million chrome users of your extension, blink twice.

Serriously, though, is every thing all right? I just saw that your personal email was listed, and so I assume a lot of people have been emailing you. But you aren't listed anywhere on the web, for anything recent. Springload.co.nz recently dropped you from their staff listing (ie, the past month), and... that's it for things with your name updated in the past month.

I guess we shouldn't expect to hear any further from him/her. Non-communication past the announcement is probably dictated in the sale. It's a shame. But I'm moving on...

@TheMageKing I can confirm Dean is okay :)
He is aware of this shitstorm (which IMO seems like a bit of an overreaction so far - nothing obviously malicious has taken place).
And you would be correct that he is being contacted a LOT about it.

I don't want to speak too much on his behalf (he may or may not be posting a reply here at some stage) but I remind folks that he sold the extension primarily because he didn't want to (/couldn't) carry the burden, as outlined in the original post, and he was perfectly entitled to do so. I don't know what @greatsuspender's deal is, but as for @deanoemcke please be assured there's nothing sinister behind his silence this far.

Hi everyone.

After doing a diff between the new webstore code of TGS and the latest commit in this repo I can confirm that there is a change in the gsAnalytics.js which is present in the webstore version, but not committed to the GitHub repo. I can also confirm that this new code will be ignored if the analytics opt-out option is checked. All other code appears to be the same.

It's unfortunate that the new maintainers have not kept the two codebases in sync as it erodes trust in the project.

I'm not an expert on what is legitimate analytics gathering (like I have been doing with the extension for years), and what is deemed malware. Are people here concerned that there is possible malicious code being run on their computers? I very much doubt this is the situation - it would certainly result in the extension being pulled from the webstore. Or is it more a concern that the new analytics will be invasive to privacy?

Giving the publisher the benefit of doubt, I would say that they have the right to collect extra analytics so long as it is within Google's policies, and is communicated to the user. There is a privacy policy linked on the chrome webstore (which I set up a while ago): https://greatsuspender.github.io/privacy

Of course, this assumes that Google are aware of these changes, and also that the linked privacy policy is still accurate. Google does have a fairly rigorous review process when trying to publish updates to an extension, so I assume this has been vetted by their review team.

Ideally we would have word from @greatsuspender to clarify exactly what the new Open Web Analytics is gathering.

Regardless of anything else, what's happening right now is in violation of the Privacy Policy of the extension that is linked to from the Chrome Web Store.

When I read the above, I started to wonder: would it be possible to fork the extension, and have it community-owned, somehow? I'm sure the original developer of TGS (thank you, pal, for all the great work!) maybe tried this, but for some reason, it might not be possible?

hey @deanoemcke, thanks for speaking up. but given how things are turning out, i think you really should give us some more ...
it's not necessary to reveal actual identities of @greatsuspender (even though it would certainly help), but it's crucial to understand what your basis of trust is. how do you know these people? what assurances do you have, what agreements have been made (and how enforceable are they)? why didn't you seek succession from within the community you acknowledged?

Question. If I disable access to:

trckingbyte.com

trckpath.com

owebanalytics.com

Can I go back to using this extension again without any concerns?
Thanks for everyone helping.

@XxX-Force assuming you're using the web store version, and you don't trust the new owner, then no. Because they can push a new web store version with different tracking details or whatever at any time (and afaik there's no way to disable automatic updates).

Thank you @liamjohnston .. and I apologize to all for spamming up the thread here. How can I get the non-web store version of 7.16 off of GitHub and installed into my Chrome browser, being a layman that doesn't know how to build or compile etc? I know I'm asking for a lot.

Thank you @liamjohnston .. and I apologize to all for spamming up the thread here. How can I get the non-web store version of 7.16 off of GitHub and installed into my Chrome browser, being a layman that doesn't know how to build or compile etc? I know I'm asking for a lot.

Download from here
https://github.com/greatsuspender/thegreatsuspender/releases

Follow the instructions to install from source from the homepage/readme of this repo. Make sure you select the arc directory. Also make sure to unsuspend any suspended tabs before disabling any version of TGS.

Thank you @liamjohnston .. and I apologize to all for spamming up the thread here. How can I get the non-web store version of 7.16 off of GitHub and installed into my Chrome browser, being a layman that doesn't know how to build or compile etc? I know I'm asking for a lot.

Don't worry. I'm sure there are a lot of people (Myself included,) lurking and benefitting from the information you're asking for.

Maybe try running without a suspending extension for a bit?

I couldn't find one I liked after uninstalling TGS and just been running 3 windows with about 60 tabs combined open for 4 days now and my machine seems to be running quieter and less RAM utilization

I have removed the extension from my browser :( the lack of communication and transparency makes it really hard to continue using this. Its been a good run.

What a shame!!! after Nano Defender, now The Great Suspender... sold to some random people with a set-up account without any history... seriously!?

I have uninstalled TGS and installed Auto Tab Discard instead. I'm finding speed and RAM use is much better on my older Mac.

I have uninstalled TGS and installed Auto Tab Discard instead. I'm finding speed and RAM use is much better on my older Mac.

I have similar findings on Windows 10 v2004, Intel i7 7700K, 32GB RAM. RAM usage is about the same on Firefox and seems to be maybe even a little better on (Newer, Chromium-Based) MS Edge.

I, personally, recommend Auto Tab Discard FF | Edge to anyone who found this GitHub issues in search of a replacement.

I'm not terribly supprised about the improved preformance, as this does provide some features lacking in Auto Tab Discard (eg, the screenshots mechanism).

I like those features, and would appreciate it if this extension were to survive. Is anyone aware of licensing issues that might prevent me from posting a new version on the Chrome store?

Is anyone aware of licensing issues that might prevent me from posting a new version on the Chrome store?

Google specifically disallows duplicate extensions in the Chrome Store in their spam policy - https://developer.chrome.com/webstore/program_policies#spam - and once their review team makes an adverse decision it can be extremely slow and difficult to get a rereview.

I'd recommend just writing a completely new extension - if there's specific code or functionality you want to reuse from this repository, it's licensed under GPL-2.

@TheMageKing, you may want to refer the Google review team back to this thread if you run into issues. That said, I don't think we have a "smoking gun" here yet that conclusively shows the new owner has malicious intent. They may just be a terrible communicator.

@TheMageKing, you may want to refer the Google review team back to this thread if you run into issues. That said, I don't think we have a "smoking gun" here yet that conclusively shows the new owner has malicious intent. They may just be a terrible communicator.

I don't mean to be argumentative, so please don't take the tone of this text that way. I just don't see how anyone can reach a conclusion like that. Anyone aware of this current situation who has not disabled/removed this extension (or altered their setup/router or modified the extensions code on their own) to help mitigate the dangers these new developments have placed them in, is taking quite a risk based on an entity who has not done ONE thing to earn that level of trust, or any trust whatsoever, from anyone. This entity has no prior GitHub history to consider, no way to look at other projects they may have worked on, NOTHING.

They pushed a version change to 7.18 to the Chrome Web Store on October 27, 2020, fully a week ago, and have still not updated the GitHub (which he purchased.. because.. that's totally normal for a free Chrome Extension). Has refused to even announce him/herself, pass any kind of Turing test to demonstrate they are even human, or address ANY of the many, numerous issues and requests for comment regarding all of this.

They have added code to the extension that calls on remotes scripts that at the very least adds new analytics/telemetry/tracking .. who knows really, that gets sent to destinations (trckingbyte.com, trckpath.com, owebanalytics.com) that are not authorized or compliant with the extension's Privacy Policy. All of this done without the users knowledge, control, or consent.

This is FAR beyond "poor communication skills". If all of the above doesn't show malicious intent, especially with ZERO communication, then I don't know. I guess someone has to actually have their bank account compromised or something before we can conclude it's malicious. I'm more than willing to give the benefit of the doubt, but this person clearly has no intention of availing themselves of the (misplaced) trust and opportunities we've afforded them, and that in itself is malicious behavior.

That's all I have to say, for whatever it's worth. I apologize for the long post.

No offense taken. I had actually already uninstalled the Chrome store version and am using the last known good one, 7.16, until I decide on next steps¹. I like to give the benefit of the doubt, but I'm not going so far as to let myself be a guinea pig either.

I've been loosely following the thread, but my read of recent comments from zanglang and TheMageKing seem to show that nothing bad is in there yet, but I definitely agree that the whole thing stinks of possible, even likely, ill intent. The only point I was trying to make was that I don't know if that's a high enough bar for the Google folks to ban the old extension in favor of a replacement forked from 7.16.

@deanoemcke Please note that the Google Extensions Web store has not been updated with ownership.

Everyone looking there would still think that you are the owner of the extension. This is a very bad oversight (being charitable here) on the part of the new owners, and does not bode well.

If you expand the Overview, all references of who to contact are YOUR web link. The last update that you refer to is version 7 in 2018.

According to the privacy page - which google still links to.
"The Great Suspender extension is owned and operated by Dean Oemcke - a programmer from New Zealand ".
The new owners have had more than 4 months to change that - but haven't.

Please note that the "Website" it links to is STILL "https://github.com/deanoemcke/thegreatsuspender". That includes your name.

You really need to get that sorted unless you relish being forever tainted.

let's not jump to conclusions; there are numerous ways to interpret the evidence. here's just what i can come up with; not all options are mutually exclusive:

regarding @greatsuspender's silence:

• they see the whole thing as a strictly commercial enterprise
  • as the revenue stream from the donations is more of a trickle, the volume of contributions is accordingly small, and communication doesn't fit the budget at all.
• they have zero experience with contributing to FOSS, and thus have no clue what they are doing
  • they didn't realize that communication was part of the deal
    • far-fetched, and they'd have noticed by now (they actually read sufficiently many issues to choose some to fix+close)
  • they never even received any of the github notifications, because the mails go to an unsorted/spam folder, or they even used a throw-away address for registration
    • rather implausible, esp. for a pro account
    • they'd have noticed by now, dean would have told them
• they may have a serious language barrier problem
  • their commit history doesn't suggest that
• they may be seriously autistic and just won't communicate
• they want to leave us in the dark as long as possible to do $evilThing

why they may have bought the github pro account:

• it looks more professional
• they overestimated the benefits, or didn't even bother to check
  • seems a bit far-fetched
• it just had to be done, because it was the ideologically correct thing to do
  • don't laugh, such people actually exist

regarding the sneaked in code fragment:

• they may be just sloppy and failed to push the commit (which would also carry the release tag).
  • their "commit hygiene" suggests as much
  • but they'd have noticed by now unless they actually don't read any of the incoming communication
• they actually already have the metrics server under control, and are just waiting for a suitable zero-day exploit in chrome to turn up before deploying malicious code to it
  • but it would have been just stupid to raise such suspicion by trying to hide code which is completely legitimate at face value
• this was a test balloon, to see whether someone would notice

regarding the outdated information in the web store:

• they are just negligent
  • the "no time/no budget" argument doesn't cut it here, as this completely undercuts their professionalism
• they want the blame to go to dean once they do $evilThing
  • but dean could have already reported the misinformation to google, and they'd presumably have taken action by now

so to sum up, however one twists it, they are an obviously abysmal maintainer, but any ill intent is plausibly deniable.

regarding @deanoemcke's obvious refusal to reveal any insider information:

• he may expect that answering the questions in a meaningful way would immediately reveal @greatsuspender's identity at least to those around him.
  • we don't know where the wish to remain anonymous comes from and why it is prioritized over gaining trust, so there is no way to judge this.
• he may be legally prohibited from doing so
• he may expect that a truthful answer would hurt the project's (or his) reputation even more than saying nothing

aside from all the speculation, i need to make a factual observation about the "sneaked in" code:

• the package in the store is derived from a GPL'd code base and is therefore bound by it
  • while it is conceivable that @deanoemcke granted @greatsuspender an additional distribution license for or even transferred copyright of his code, there is no evidence whatsoever that any of the other contributors did. @marcospgp, any comment?
• failure to publish that code fragment to github means that no source code has been made available for the new release
  • the fact that the crx file can be easily reverse-engineered is inconsequential, as it is not "the preferred form of the work for making modifications" (wording from the license)
• therefore, the release constitutes a GPL violation afaict
  • this gives us leverage to report it to google and therefore force action from the (non-)maintainer

Yea this definitely doesn't smell good, let's report the extension on the chrome store citing this thread as evidence.

This entire issue and our discussion is a bit hard to find: I noticed some people filing new issues (eg, #1260 ) that make it clear they haven't seen this. So I made that issue, #1263, just to make it more visible.

let's not jump to conclusions; there are numerous ways to interpret the evidence. here's just what i can come up with; not all options are mutually exclusive:

....[humongous list of baseless assumptions]

I respectfully disagree. Let's all jump to a conclusion as quickly as possible. I strongly urge everyone to IMMEDIATELY remove this extension from their device(s) and report it for the numerous violations of both GitHub's terms and the policies of the Chrome Web Store.

If you find yourself saying "gee, maybe the guy's just autistic", after seeing that they have added code that calls remote scripts to send data to three different domains (trckingbyte.com, trckpath.com, and owebanalytics.com), maybe it's time to take a nap.

If you find yourself saying "gee, maybe the guy's just autistic", after seeing that they have added code that calls remote scripts to send data to three different domains (trckingbyte.com, trckpath.com, and owebanalytics.com), maybe it's time to take a nap.

@XxX-Force When I summarized this entire thread, I didn't say security was definitely compromised. I did so for a reason.

You appear to have misunderstood @zanglang's first post, and not seen his second. The extension is not directly connecting to the trck.... domains. It lacks the permissions to do so, AFAIK. Those sites are definitely malicious: they are hosted via a bitcoin hosting company, and were found in malicious extensions.

This extension is not those. It doesn't connect to those sites: instead, it connects to owebanlytics.com. That site appears to be a legitimate alternative to google analytics. Now, the JavaScript is at the same path: however, that appears to simply be the design of the service. That is why @zanglang initially found those other malicious extensions, but later dismissed the similarity. The fact that malicious extensions appear to be reusing parts of the Open Web analytics system doesn't indicate that Open Web is malicious: just that the hackers know that tracking is similar to analytics, and reused open-source code.

As my other post said, there is not yet evidence that the extension is malicious. And you don't need to be autistic to mess this up.

@TheMageKing, my comment was in reply to @ossilator's comment here, not to you. Regardless:

... The extension is not directly connecting to the trck.... domains. It lacks the permissions to do so, -=-=-= AFAIK =-=-=-. Those sites are definitely malicious: they are hosted via a bitcoin hosting company, and were found in malicious extensions.
...

Honestly, it's nothing personal, but this is exactly the problem. You DO NOT KNOW.

-=-=-=-=-
On a completely unrelated note, I received an email notification at 7:51 Eastern Time that @danupo had commented :

"It looks like there is a "keypressEventHandler" defined that tries to steal the password with external javascript.
In addition, the "getPassword" function and other functions are defined.

As Japanese law prohibits putting any part of the malware code on it, could someone please check this?"

But, for some reason, I cannot find that comment here. @danupo, what's up?

@danupo I also got the email notification about getPassword; the comment has since been deleted. Did you delete it yourself?

EDIT

it looks like getpassword is part of thei OWA URL parser - https://github.com/Open-Web-Analytics/Open-Web-Analytics/blob/2170d3d0b878d17105a12a8fb1660a89a5b4d4fc/modules/base/js/owa.js#L722

For the tracker in general, it isn't reading passwords out of forms, but if you are using HTTP basic auth, those passwords would probably be leaked. In hte context of a chrome extension, there's no basic auth to check the settings page.

@XxX-Force @nfultz
Yes. The comment was deleted by me to avoid misleading.
It was a default feature of the OWA.
I mistakenly thought it was a malicious addition.

https://github.com/Open-Web-Analytics/Open-Web-Analytics/blob/ee71d9269c8080e3c7e759170a4dc546ba4ed0be/modules/base/js/owa.js

Originally, getPassword and bindKeypressEvents is defined.

As an alternative, I would suggest Lazy Tabs, which uses the built-in tab discarding API.

Anyone know of some tab management (as opposed to discarder) extensions? I use Tabli with TGS. There's also Session Buddy.

I recommend Tabs Outliner. There's also OneTab

Did anyone else discover TGS through WaitButWhy?

The entity that bought the extension almost certainly did so to make money, and a reasonable first step toward this is to add analytics so they can see utilization metrics. I can almost guarantee that those metrics are in a PowerPoint deck somewhere in the world, as a basis for revenue projections. Now whatever happens next will be the interesting part.

@greatsuspender the lack of communication is hurting those utilization metrics.

@mikewaters There were already analytics in the extension. They just added new analytics and an opt-out.

@mikewaters There were already analytics in the extension. They just added new analytics and an opt-out.

I would guess then that the new analytics are more invasive; if they need an opt-out, there is some legal framework they are bound by (like CAN-SPAM).

I recommend Tabs Outliner. There's also OneTab

OneTab also has privacy issues + an AWOL maintainer just like TGS. But it is decent for a small-medium # of tabs.

I'd really recommend people just write their own extensions, it's pretty easy and there's plenty of good references.

For anyone who is concerned by the "stealth tracking" (i.e. it not being mirrored on Github for some reason), you can always install from source. It is easy: go to chrome://extensions, enable developer mode, click "Load unpacked extension" and point it to the src folder from this repo. Done!

HOWEVER, I DON'T SEE THE CURRENT ISSUE (in itself) AS A REASON TO FREAK OUT:

1. The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:
2. It does not even get loaded if you tick that "Automatic deactivation of any kind of tracking" checkbox in settings:

var owa_baseUrl = 'https://cdn.owebanalytics.com/';
var owa_cmds = owa_cmds || [];
function loadOpenWebAnalytics(version) {
  owa_cmds.push(['trackPageView']);
  (function () {
    var _owa = document.createElement('script');
    _owa.type = 'text/javascript';
    _owa.async = true;
    _owa.src =
      owa_baseUrl +
      'owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=klbibkeccnjlkjkiokjodocebajanakg&apikey=2cf3d852ab70d359456ce3a0aac237a3&v=' + version;
    var _owa_s = document.getElementsByTagName('script')[0];
    _owa_s.parentNode.insertBefore(_owa, _owa_s);
  })();
}

function init() {
  if (!gsStorage.getOption('trackingOptOut')) {
    loadGoogleAnalytics(
      window,
      document,
      'script',
      'https://www.google-analytics.com/analytics.js',
      'ga'
    );

    let details = chrome.runtime.getManifest();
    loadOpenWebAnalytics(details.version);
  }
  gsAnalytics = gsAnalytics();
}

This is from the actual extension installed from the chrome store, 'trackingOptOut' option is set by that checkbox, and loadOpenWebAnalytics() isn't referenced anywhere else. Also, that opt-out disables Google analytics too, which was force-enabled before, so you could say it is an improvement?

Yes, this is weird that they "hid" it like that. Might have to do with the hardcoded siteId and apikey, or maybe they "just wanted to experiment with it" (on users' machines, yes, but how else do you experiment with tracking?)

Yes, they handled their PR horrendously, but that doesn't mean they are automatically malicious! (And actually, "any PR is good PR". If it spreads and then it gets proven they did nothing malicious, then more people might use the extension and more would donate to them.)

Personally, I'm going to use the "developer mode install" option, but not to avoid that tracking. Mostly because of #1259 and other autoupdate-related issues, as developer-mode extensions don't get autoupdated.

@evg-zhabotinsky
The summary I wrote in #1263 is pretty clear about the causes of suspicion. Basically, as long as they fail to communicate with us, we have to assume the worst. OpenAnalytics has the ability to conduct highly invasive tracking: and the permissions requested are such that the system could stop using that CDN and instread execute from other sources.

I agree that some of us are overreacting, but the problems here can't be dismissed out of hand.

• The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:

The script is loaded from owebanalytics.com which is a domain registered last month and it is not an official OpenWebAnalytics CDN.

• The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:

The script is loaded from owebanalytics.com which is a domain registered last month and it is not an official OpenWebAnalytics CDN.

That’s huge. I can’t find very much about that site, besides that their web server runs CentOS, they use Letsencrypt on their cdn subdomain, and they are hosted in the US (EIG/maybe Hostgator).

If this is not an official OWA property, then this is intentionally deceptive. I am generally open to commercial usage of open source but this stinks to high heaven.

right. so they do in fact already control the "metrics" domain, and they hid the code because it's only seemingly legitimate (so much for "face value" ...).
the script served by the domain looks like real OWA code, but i can't possibly do a full analysis. but even if it's legit for the time being, we must assume that it's on stand-by for an attack.
i now also reported this to google. let's hope they react in time, as that's the only way to actually protect unaware users. everyone else should disable the tracking option, or better use code from git.

• The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:

The script is loaded from owebanalytics.com which is a domain registered last month and it is not an official OpenWebAnalytics CDN.

That’s huge. I can’t find very much about that site, besides that their web server runs CentOS, they use Letsencrypt on their cdn subdomain, and they are hosted in the US (EIG/maybe Hostgator).

I would call this beyond huge, and would like to formally retract all my claims that this was "possibly innocent". That CentOS homepage indicates nothing about the server's OS: every link on that page just points to the real one. The only thing I can really discover (beyond what you said about Hostgator) is that they are running a 2018 version of nginx, configured to never return a 404 Not Found. Also, they have an SSH server, if anyone wants to try passwords randomly.

Open Web Analytics doesn't provide hosting solutions (yet), so it is plausible that the new maintainer needed to get a domain and self-host. But that doesn't explain the old nginx, the weird homepage, or the fact that the domain name clearly masqurades as legitimate.

If this is not an official OWA property, then this is intentionally deceptive. I am generally open to commercial usage of open source but this stinks to high heaven.

Commercial usage would not be done in this way. BlueHost is a webpage hosting provider. Anybody hoping to commercially offer an analytics service would use a more specialized cloud compute provider, and save money. This screams "trap".

Their trap worked, too. I never actually checked to see if owebanalytics.com was a legitimate website, because the cdn subdomain seemed silent, and I never noticed that the real openwebanalyitics.com had a few extra characters.

I will probably actually do some work on my "thesecretsuspender" fork now that there is decent evidence that the developer is malicious. My goal is to make a version that can never touch the outside world. I'll update the other issue with this smoking gun before I go to bed.

this is helpful for anyone wanting to remove it: #526

Does anyone know the right people at OWA to contact? While they're not responsible for someone posing as them, they may be concerned about it, aware of this or similar instances, and have advice.

(Edited: opened Open-Web-Analytics/Open-Web-Analytics#703).

Just chiming in that I uninstalled and reinstalled the v7.1.6 from github source with no problem. I had never done anything like this before and it was super easy: (writing this was more work)

1. Make a backup of your tabs, many options out there. One way is from the The Great Suspender > Options > Session Management > Save to a text file with url of all tabs.
2. Save whitelist from The Great Suspender options, make note of your settings.
3. Unsuspend all tabs (MOST IMPORTANT)
4. Uninstall The Great Suspender
5. Download zip https://github.com/greatsuspender/thegreatsuspender/archive/v7.1.6.zip
6. Unzip to folder in saved location
7. Tools > Extensions > Turn-on Developer Mode at top-right corner
8. In new option at top-left, "Load unpacked" > find & select the SRC folder where you saved it
9. Update settings to old preference > DONE

The OWA people have confirmed in Open-Web-Analytics/Open-Web-Analytics#703 that the new "analytics" site from which TGS is loading code, is completely unaffiliated with them.

The OWA people have confirmed in Open-Web-Analytics/Open-Web-Analytics#703 that the new "analytics" site from which TGS is loading code, is completely unaffiliated with them.

While I completely agree that everything that has occurred up to this point has been questionable at best, one thing worth noting is that it seems this is how OWA is supposed to work. I don't believe they have any centralized server or CDN. It's a tool you are supposed to spin up your own server and domain for, so this answer isn't unexpected.

It's still sketchy, and I'm not reinstalling it anytime soon, but this may not be the evidence of shadiness in and of itself.

@TheCleric Not quite. Normally you have a website to use tracking on, and you put your OWA there too, no second domain needed. In this case, the extension doesn't have its own website, so OWA has to be hosted somewhere else. That, however, isn't a valid reason to misrepresent that hosting as OWA-affiliated using such misleading name.

Just chiming in that I uninstalled and reinstalled the v7.1.6 from github source with no problem. I had never done anything like this before and it was super easy: (writing this was more work)

1. Make a backup of your tabs, many options out there. One way is from the The Great Suspender > Options > Session Management > Save to a text file with url of all tabs.
2. Save whitelist from The Great Suspender options, make note of your settings.
3. Unsuspend all tabs (MOST IMPORTANT)
4. Uninstall The Great Suspender
5. Download zip https://github.com/greatsuspender/thegreatsuspender/archive/v7.1.6.zip
6. Unzip to folder in saved location
7. Tools > Extensions > Turn-on Developer Mode at top-right corner
8. In new option at top-left, "Load unpacked" > find & select the SRC folder where you saved it
9. Update settings to old preference > DONE

Does this work fully for you btw? I just did exactly this - unsuspended all tabs, loaded them, then installed 7.1.6, and suspended a bunch.

Then I come back and all of my tabs are broken, it just says this:

@sjain882 - yes the source loading of TGS still works for me, reviewing the extension details in chrome shows loaded from local source folder. Sorry to hear not working for you, I don't have any ideas

@sjain882 What other Chrome Extensions do you have installed? Have you tried disabling them one at a time to try to find which one may be causing the problem? Do you by chance have the EFF's 'HTTPS Everywhere' extension installed? If you do, is the "EASE (Encrypt All Sites Eligible) Mode" setting enabled?

I can confirm that on Chrome Version 86.0.4240.183 (Official Build) (64-bit), that TGS version 7.16 installed 'unpacked' from from the 'src' folder as described above does work.

the trick is keeping the application id constant between updates/reinstallations. you need to insert "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWu7+3vUaUm2vuJZQsiPeciQbO5hpq8/Z2o6zP/Kv7I5+rI1ZfDhjsuz6jw2Efi23YwkAGPpXewhKnrmGXAgRSPIq1EHZUTwVwqo1SFWGCyEzywvXjpPiLaP3DsJCHT2wJE0KcWvt/aKeREtFCpvZ3b5vnupYh1oMlSryqBiINewIDAQAB", (taken from the release package) into the manifest.json file (after "incognito", to keep alphabetical order and logical nesting intact).
note that doing just that will, of course, change the id one last time.

If you want to report the extension you can simply write this: @TheMageKing

The extension was sold to an unknown party. This entity has "updated" the extension to v7.18 w/o publishing changes to Github. It is calling remote scripts and using remote tracking analytics, sending user information somewhere w/o user knowledge. PLEASE SEE: #1175 (comment) AND ALSO: #1175 (comment) .. Owner refuses to communicate or respond to anyone. Can only be considered as malicious/malware at this point. We have no idea what the full changes are to the code, or the ramifications of said changes.

github.com//issues/1175#issuecomment-717656189

github.com//issues/1175#issuecomment-717656189

Just confirming that v7.1.6 is the last stable release before it all went down Hill. I was thinking about making a branch and publishing to the store.

edit: https://github.com/wylie39/Thesuspender

Just confirming that v7.1.6 is the last stable release before it all went down Hill. I was thinking about making a branch and publishing to the store.

That would be great!

Do we have a conclusive response from the dev yet?

Do we have a conclusive response from the dev yet?

No response whatsoever.

Do we have a conclusive response from the dev yet?

No response whatsoever.

We do, but its vague and inconclusive
#1263