Removed from chrome store for containing malware?

[okeetris]

Please complete the following information when submitting a feature request or bug report.

• Extension version: 7.1.9
• Browser name & version: Chrome Version 88.0.4324.146 (Official Build) (x86_64)
• Operating system & version: Mac OS Big Sur 1.1

I just notification that The great suspender had been removed from my browser due to it having malware and now i am unable to find it on the chrome extension store?

The below link no longer works:
https://chrome.google.com/webstore/detail/klbibkeccnjlkjkiokjodocebajanakg

[okeetris]

[Skylancer187]

Just got the same message.

[Jerrk]

@greatsuspender

[okeetris]

Hopefully this is a case of Chrome overreaching and auto-detections has interpreted some code wrong!

[koriar]

Unsurprising after #1263

[TheCleric]

This is likely not an overreach. The new maintainer of this extension has been acting shady for a few months.

[dmihal]

I had quite a few tabs removed when chrome pulled this extension.

Anyone know if there's a way to restore them?

[csis0247]

@deanoemcke

[owenblacker]

Same here @dmihal 😞

[daviavmello]

Alternatives to this extension?

[xbrandonx]

Goodness, you only had ONE job to do.

[oliverseal]

I feel dumb for not knowing this was an ongoing issue. :/ time to change all the passwords

[azuzunaga]

@dmihal, you should be able to press the back button on your browser and get the page back. You can also look at the URL, for example: chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/suspended.html#ttl=Data.Argonaut.Core%20-%20purescript-argonaut-core%20-%20Pursuit&pos=3908&uri=https://pursuit.purescript.org/packages/purescript-argonaut-core/4.0.1/docs/Data.Argonaut.Core. You can get the URL for the page you were on from the last query parameter, uri.

[nfultz]

I had quite a few tabs removed when chrome pulled this extension.

Anyone know if there's a way to restore them?

The original URL is embedded inside the TGS url, you can decode it and reopen the tab that way.

EDIT: beaten by @azuzunaga

[TrainerGamer]

Is there any way to recover currently suspended tabs when the extension was removed? Or do I have to manually reopen each tab

EDIT: Nevermind - answered already

[coolgk]

how to force chrome to enable the extension? they disabled it without warning, all tabs are lost.

[azuzunaga]

@daviavmello I went back to the last release before ownership transfer, https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6.

To install it, download and unpack tgs-7.1.6.zip. Then go to your chrome extension settings and click on load unpacked. Select the unpacked folder and you should be good to go. You'll lose your settings, including the whitelist.

[okeetris]

I have just followed the instructions at the bottom of #1263 to get the most recent version before the malicious maintainer arrived. Is working fine and i will keep it that way unless we can an answer/ any changes to the existing code.

[rxvincent]

Chrome just close all of my suspended tab and I have no chance to restore it. ha

[AKA-Steve]

Looking at tab history, 90% of my suspended tabs were all opened at the same time when I launched chrome so there is a nice timestamp where you can re-open and then manually fix the tabs if you want them re-opened

[DAOWAce]

Well, this now kicks me in the ass to finally switch over to the last build before the new maintainer took over.

Just have to figure out how to get all my tabs back.. because Google are atrocious at giving users any control.

Edit: Figured something out: #1304 (comment)

[shadow306k]

Chrome just close all of my suspended tab and I have no chance to restore it. ha

Go into your chrome history and find the suspended tabs, and just take the URL from them as described above in this thread

[TheThor]

Can anyone point what security issues this extension had?

[jjspace]

Some good articles for context:
Ditch 'The Great Suspender' Before It Becomes a Security Risk
We no longer recommend the Chrome extension The Great Suspender. Here is why!

[srodriguez1850]

Can anyone point what security issues this extension had?

#1263

[TrainerGamer]

Can anyone point what security issues this extension had?

New maintainer was acting shady. Lots of tracking etc - #1263

[csis0247]

@daviavmello I went back to the last release before ownership transfer, https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6.

To install it, download and unpack tgs-7.1.6.zip. Then go to your chrome extension settings and click on load unpacked. Select the unpacked folder and you should be good to go. You'll lose your settings, including the whitelist.

Isn't the version number identical to the current release?

By the way, for me, the old release has an ID/hash "ileadlglecldmodljgiolifnolmmnkid", whereas the one on the chrome web store is "klbibkeccnjlkjkiokjodocebajanakg". After you installed the old version, go to session management, export, find and replace the ID in your sessions.txt, and import session. If it works, you may close your outdated windows.

[TrainerGamer]

I'll be switching to The Marvellous Suspender - a fork of TheGreatSuspender without any tracking

https://chrome.google.com/webstore/detail/the-marvellous-suspender/noogafoofpebimajpfpamcfhoaifemoa/

[q00u]

I had read those articles and still not switched away from this extension, so my 2000+ suspended tabs in limbo is due to my inaction. There's no medicine for regret.

[mcchong]

I discovered something very interesting

if i close and launch Chrome, it also launches the 7.1.8 version of TGS, the one that is marked malware. But it only lasts for about 1 minute untill it disables it again! However its enough for me to open the TGS settings and EXPORT my saved sessions

i will now try to import them to the marvelous suspender

This worked, thanks. Will at least use marvelous suspender until I can cull my 1000s of open tabs lol. Hopefully I can do that before my new extension goes malware.

This comment helps together with notes from this issue:
gioxx#7 (comment)

[denengineer]

For people who exported their history and they now have JSON array with 'url' fields (as mentioned by @edgarv09 ans @scarrrr316) here is a one-line script to get original unique URLs from this array:

[...new Set(YOUR_JSON_ARRAY.filter(el=>el.url.includes('suspended.html')).map(el=>new URLSearchParams(el.url).get('uri')))].join('\n')

And shame for Google for closing all the suspended tabs - it will be much much easier if they will care at least a tiny bit about users and left tabs intact so we can easily restore them

[ahlaissuffering]

I discovered something very interesting

if i close and launch Chrome, it also launches the 7.1.8 version of TGS, the one that is marked malware. But it only lasts for about 1 minute untill it disables it again! However its enough for me to open the TGS settings and EXPORT my saved sessions

i will now try to import them to the marvelous suspender

this works. try this. it saved me 156 tabs, some dating back to over a year ago, thanks!

[ultragreg]

I discovered something very interesting
if i close and launch Chrome, it also launches the 7.1.8 version of TGS, the one that is marked malware. But it only lasts for about 1 minute untill it disables it again! However its enough for me to open the TGS settings and EXPORT my saved sessions
i will now try to import them to the marvelous suspender

this works. try this. it saved me 156 tabs, some dating back to over a year ago, thanks!

worked too, thanks a lot !

[faphdev]

@dmihal, you should be able to press the back button on your browser and get the page back. You can also look at the URL, for example: chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/suspended.html#ttl=Data.Argonaut.Core%20-%20purescript-argonaut-core%20-%20Pursuit&pos=3908&uri=https://pursuit.purescript.org/packages/purescript-argonaut-core/4.0.1/docs/Data.Argonaut.Core. You can get the URL for the page you were on from the last query parameter, uri.

IMHO, this is not the case today because it was removed completely.

[MrAureliusR]

Why do people have 156 tabs open? What the hell? How is that useful? How are bookmarks not 1000x better at doing the same thing? I genuinely don't understand why people do this. I have maybe 5-10 tabs open maximum. I try and keep it under 5 most of the time. There's no reason to have that many tabs open. Once you've gotten the info you need from a page, just close it. If you might need it again, bookmark it...

[Sciph3r]

#1304 (comment)

This worked for me as well.
If the closing then re-opening isn't working, I suggest you close everything chrome related before re-opening. I needed to:

1. Close Chrome (make sure you have "start chrome from previous session" and the extension tab opened before closing, for saving time if anything else)
2. Kill every session of Chrome from task manager
3. Re-open Chrome, manage the extension and export. I just exported the latest current session, and that did the trick

I then installed The Marvellous Suspender. There's this page here, gioxx#7, that outlines the steps to import. I actually didn't need to do this; the export from the great suspender was already in plain http format, so I all needed to do was import the session file from the great suspender into the marvelous suspender, then it should appear under Saved Sessions. I restored and loaded them up, and presto!

[RickBankers]

It looks like TGS isn't marked as malware any longer. Mine just started working again. Any clues as to what changed?

[bloodgain]

@RickBankers It is still not on the Chrome Web Store, so I still wouldn't trust it. Check out The Marvellous Suspender, which is a fork from before the "new owners" handover.

[q00u]

Mine updated to 7.1.9, but it's still flagged as malware and not running. It would be nice if it ran long enough for me to unsuspend all my tabs.

[flyingwolf79]

Why do people have 156 tabs open? What the hell? How is that useful? How are bookmarks not 1000x better at doing the same thing? I genuinely don't understand why people do this. I have maybe 5-10 tabs open maximum. I try and keep it under 5 most of the time. There's no reason to have that many tabs open. Once you've gotten the info you need from a page, just close it. If you might need it again, bookmark it...

Why the hell are you even here if the products use case does not apply to you?

Sod off.

[MrAureliusR]

It DOES apply to me. I usually have 1 or 2 tabs that I keep open all the time, and I like those to suspend while I'm busy doing other things.

…

On Feb. 4, 2021, 17:55, at 17:55, flyingwolf79 ***@***.***> wrote: > Why do people have 156 tabs open? What the hell? How is that useful? How are bookmarks not 1000x better at doing the same thing? I genuinely don't understand why people do this. I have maybe 5-10 tabs open maximum. I try and keep it under 5 most of the time. There's no reason to have that many tabs open. Once you've gotten the info you need from a page, just close it. If you might need it again, bookmark it... Why the hell are you even here if the products use case does not apply to you? Sod off. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #1304 (comment)

[coolgk]

All of us here have TAB OCD, closing a tab? how dare you!? I will have to read it again in 3 years! O_O

none of the methods worked for me. I have manually restored most of my trillion tabs, tedious process but I feel much safer now ^_^

[agiudiceandrea]

In order to export and import all the saved sessions I successfully followed this procedure https://github.com/agiudiceandrea/import-export-IndexedDB/blob/main/README.md

[NaelMelo]

I discovered something very interesting

if i close and launch Chrome, it also launches the 7.1.8 version of TGS, the one that is marked malware. But it only lasts for about 1 minute untill it disables it again! However its enough for me to open the TGS settings and EXPORT my saved sessions

i will now try to import them to the marvelous suspender

The best solution to recover lost tabs is simple and effective. Thank you for the tip!

[smith558]

Can anyone point what security issues this extension had?

Please read this. #1263 A detailed explanation of myriad of security issues and malicious intentions.
#1263 (comment)

TLDR: The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more. In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code running since November, and it does not appear to load the compromised script. The malicious maintainer remains in control, however, and can introduce an update at any time. Well, they could until Google nuked the extension from their store.

The Great Suspender has been removed from the Chrome Web Store. To recover your tabs, see issue #526
The code in the github repository is currently safe, and the most recent tagged release happened before the transfer of ownership. To use that version, and avoid needing to finagle URL's, enable Chrome developer mode, download and extract a copy of the code, then navigate to your extensions menu and select 'Load Unpacked Extension'.

Some others have had success simply pressing the "back" button on suspended tabs: everyone should note that the site's URL is included in the URL of the suspended page. For a pictorial guide on doing this, see this comment. Further, if you just want to reload lost tabs, you can use some form of File History on Chrome's user profile directory (while chrome is closed!), before restarting chrome and using the extension menu to unsuspend all tabs before your computer realizes the extension is banned again.

Because the malicious code loaded from a server by the extension in version 7.1.8 was heavily obfuscated, it is hard to say what may have been compromised. However, those who did manage to conduct an successful analysis of the code did not report password-stealing functionality in the copies that were archived. If you don't already, I highly recommend using a password manager like Bitwarden, to reduce the difficulty of changing your passwords, and to prevent an site that transmits and stores password information in a insecure way from causing the rest of your accounts to be compromised. Additionally, enabling two factor authentication wherever you can is a very easy and powerful way to make it virtually impossible for an attacker to get your data, even if they managed to retrieve passwords.

Full, pre-removal description of issue:

@deanoemcke, the original developer, chose to step back from the extension in June 2020. As a replacement maintainer, he chose an unknown entity, who controls the single-purpose @greatsuspender Github account. Much was suspicious about this change, including mention of payment for an open-source extension, and complete lack of information on the new maintainers identity. However, as the new maintainer did nothing for several months, it was believed that there was simply a failed transfer. In October 2020, the maintainer updated chrome store package. The update raised red flags for some users, because the changelog was not modified and there was no tag created in GitHub. On investigation, it appeared that the extension was now connecting to various third-party servers, and executing code from them.

This lead a few users to panic, however, on closer investigation, it appeared that the third-party servers were part of an alternative to Google Analytics: and the changes shipped along with a new (though unexplained, #1260) tracking deactivation. It appears that deactivation works. We would later discover that this was wrong: See below

The discussion continued, however, because the new update also requested additional permissions, including the ability to manipulate all web requests. That lets the extension do what it pleases, including inserting ads, blocking sites, forcible redirects.... This change was supposedly in order to enable new screenshot functionality, but that was unclear, and probably shouldn't be needed.

Furthermore, the web store extension has diverged from its Github source. A minor change in the manifest was now being shipped on the chrome web store, which was not included in Github. This is a major concern: though again, it has a possible innocent explanation. While some think it is illegal given the license on the code, this may not be a GPL violation.. Because the minified script is not part of the extension, the license does not apply to it. Because of Web Store rules, the extension itself can be unpacked and inspected in full, human-readable form, likely satisfying the copyleft restrictions.

As a final red flag, no part of the web store posting has been updated to account for this. @deanoemcke remains listed as the maintainer, and the privacy policy makes no mention of the new tracking or maintainer. It has been several months since the transfer, but almost nothing reflects that change.

@deanoemcke did respond to the thread, after a significant delay. He confirmed much of what is above, including that the secret changes are limited to analytics and are disabled by the flag. However, he hasn't yet clarified what his relationship or basis of trust with the new maintainer is, nor has he explained why the initial post mentions a 'purchase'.

On November 6th, @lucasdf discovered a smoking gun that the new maintainer is malicious. Although OpenWebAnalytics is legitimate software, it does not provide the files executed by the extension. Those are hosted on the unrelated site owebanalytics.com, which turns out to be immensely suspicious. That site was created at the same time as the update, and is clearly designed to appear innocent, being hosted on a public webhost, and being given a seemingly innocent homepage from the CentOS project. However, the site contains no real information other than the tracking scripts, appears to have been purchased with BitCoin, and is only found in the context of this extension. Most importantly, the minified javascript differs significantly from that distributed by the OWA project.

@thibaudcolas has done a more detailed analysis then my quick look. He quickly located additional hardcoded values related to other, confirmed malicious extensions, implying that the new maintainer is responsible for them. He also found incredibly suspicious additional information, that makes it clear that the extension was not loading a modified version of OWA, but a trojan disguised as it. OWA has a PHP based backend, but the fakes are using NodeJS. The trojan sets cookies, which OWA doesn't use. The response to certain requests is a completely different type then legitimate OWA. Furthermore, @joepie91 has attempted to deconstruct the minified JS, and believes that the code intercepts all requests, meaning it can track you perfectly, and furthermore manipulates those requests and makes additional advertising requests. That means the author was probably attempting to commit several flavors of advertising fraud, as well as possibly tracking you globally.

While there once appeared to be an innocent explanation for this, I can no longer say that it is remotely likely. Using the chrome web store version 7.1.8 of this extension, without disabling tracking, executed code from an untrusted third-party on your computer, with the power to modify any and all websites that you see. The fact that disabling tracking still works is irrelevant given the fact that most of the 2 million users of this extension have no idea that that option even exists. The fact that the code may not be malware is meaningless in light of the fact that it can be changed without notice, and that it is minified (human-unreadable). The fact that a new version has since been pushed that disables this behavior isn't useful given that any future update reintroduicing the malicious code will occur without notifying the user.

Many users are worried enough about the changes that they completely uninstalled the extension, preferring alternatives instead. That extension has much fewer features, but is slightly better for performance. Others have begun building it from source, and installing it manually. If a person were to try to create a new web store release, they would need to change it significantly enough that Google wouldn't reject it as spam. To simply get a safe version for yourself, see further below. Before removing or modifying the extension on your computer, be sure to unsuspend all tabs, or you WILL lose them (though the original URL's can be extracted from the extension query's, and some are working on scripts to do just that, its easier to do just avoid all that.

Throughout the above discussions, which spanned several issues and now appear in news articles, the new maintainer has never posted on the thread, or interacted in any way with the repository. Despite an ongoing discussion about how they are plotting to destroy us all, they haven't done anything to assuage our concerns: likely in the (obviously correct) hope that all those aware of the attack would move on eventually. They aren't dead, as they were quite quick to update the extension when Microsoft removed it for malware. But the new maintainer might well be a literal cat on a keyboard, for the amount of interaction they have made with the community.

For those who don't want to continue using the extension, alternatives include Tabs Outliner, which lets you place tabs in an outline. Auto Tab Discard is very similar to TGS, however it always reloads the tab when it is focused. Session Buddy allows you to save tabs into "collections", that can be reviewed later, as well as providing security against crashes.

If you enjoy using the extension, and wish to continue using it as it was, download the source code from the Github repository (version 7.1.6), enable developer mode, select "Load unpacked extension", and point it at the /src directory. Bam! You are now running The Great Suspender as @deanoemcke created it. @aciidic has gone further, creating a new repository not under the control of the old maintainer, and with all tracking code removed, here

That concludes my summary. For more information, please do look further down on this thread, or at the original announce(ment (#1175). An analysis of the script is placed here.. Additional sources began covering this in January 2021, such as Lifehacker, The Register, and a number of infosecurity Twitter accounts. This brought a bunch of new people to the issue, which is important given that it is still not widely known. Do note that the chrome web store version is not currently malicious, meaning that reporting abuse (as we did earlier) will not currently result in a removal.

[aesema]

Hello. Is there any possibility to make a new extension (probably the marvellous suspender as it looks to be the same minus the problems) compatible with the old format of the stored tabs ? That is, able to interpret "chrome-extension://klbibkeccnjlkjkiokjodocebajanakg" on top of interpreting its own reference ?

I can't do the "export session, edit session" thing, because I use Tabs Outliner on top of TGS. Once the tabs are "stored" in Tabs Outliner and chrome is closed, then they're not in TGS anymore. So any TGS session I can get/export has only the tabs from the last few days, not my years long collection.

Alternatively I will use the old TGS but I worry this solution won't be long lasting.

edit : so after some digging and trying, whatever extension I install (TGS 7.1.6, 7.1.8 notrack, packed, unpacked), I can't get it to have klbibkeccnjlkjkiokjodocebajanakg as an ID and so can't open my old tabs. Even if I managed to get it to have that ID, I fear Chrome would then disable it, because it would think it's the doubtful one.

Any help appreciated.

[paulstelian97]

Hello. Is there any possibility to make a new extension (probably the marvellous suspender as it looks to be the same minus the problems) compatible with the old format of the stored tabs ? That is, able to interpret "chrome-extension://klbibkeccnjlkjkiokjodocebajanakg" on top of interpreting its own reference ?

I can't do the "export session, edit session" thing, because I use Tabs Outliner on top of TGS. Once the tabs are "stored" in Tabs Outliner and chrome is closed, then they're not in TGS anymore. So any TGS session I can get/export has only the tabs from the last few days, not my years long collection.

Alternatively I will use the old TGS but I worry this solution won't be long lasting.

edit : so after some digging and trying, whatever extension I install (TGS 7.1.6, 7.1.8 notrack, packed, unpacked), I can't get it to have klbibkeccnjlkjkiokjodocebajanakg as an ID and so can't open my old tabs. Even if I managed to get it to have that ID, I fear Chrome would then disable it, because it would think it's the doubtful one.

Any help appreciated.

Edit the session itself to have the ID of the new extension, rather than trying to get the extension to get the old ID (the extension will NEVER get the old ID)

[aesema]

Hello. Is there any possibility to make a new extension (probably the marvellous suspender as it looks to be the same minus the problems) compatible with the old format of the stored tabs ? That is, able to interpret "chrome-extension://klbibkeccnjlkjkiokjodocebajanakg" on top of interpreting its own reference ?
I can't do the "export session, edit session" thing, because I use Tabs Outliner on top of TGS. Once the tabs are "stored" in Tabs Outliner and chrome is closed, then they're not in TGS anymore. So any TGS session I can get/export has only the tabs from the last few days, not my years long collection.
Alternatively I will use the old TGS but I worry this solution won't be long lasting.
edit : so after some digging and trying, whatever extension I install (TGS 7.1.6, 7.1.8 notrack, packed, unpacked), I can't get it to have klbibkeccnjlkjkiokjodocebajanakg as an ID and so can't open my old tabs. Even if I managed to get it to have that ID, I fear Chrome would then disable it, because it would think it's the doubtful one.
Any help appreciated.

Edit the session itself to have the ID of the new extension, rather than trying to get the extension to get the old ID (the extension will NEVER get the old ID)

Thanks for your answer. My issue is that I don't use The Great Suspender sessions, only the fact it unloads tabs nicely, and controllably. My tabs are stored by another extension : Tabs Outliner.

I have now figured out I could export Tabs Outliner's tree, edit the file, and reimport it. A bit of work, and fortunately I have tons of RAM because editing a 100MB text file is no joke, but it worked.

[daviavmello]

Chrome just banned version 7.1.6.

[agiudiceandrea]

@daviavmello are you sure? Which Chrome version? OS?
Google Chrome 88.0.4324.150 (latest available) on Windows doesn't complaint about TGS 7.1.6.

[xitude]

This has been fully nuked at this point.

[ghost]

Since this was marked with malware, is there anything we should be worried about? Passwords, etc

I suppose the exploit had access to perform arbitrary code execution, like you could from javascript console. For example document.querySelector(input).value of text fields.

People are worried about this 1 extension when the bigger malware and spyware is Google itself! 😂

[PurpleDevX]

ESET now quarantines the gsAnalytics.js file shipped with v7.1.8 as "JS/Chromex.Agent.BE".

[makhlukgod]

I have now figured out I could export Tabs Outliner's tree, edit the file, and reimport it.

How do you export and import tabs? Or do you have a paid version?

[aesema]

I have now figured out I could export Tabs Outliner's tree, edit the file, and reimport it.

How do you export and import tabs? Or do you have a paid version?

Yes with a paid version.