What happens when a Chrome extension with 2m+ users changes hands, raises red flags, doesn’t document updates? Let’s find out
Analysis Back in November, 2020, netizens warned that a Chrome extension called The Great Suspender may be malicious. Around that time, Google was made aware of these concerns and looked into the situation.
The Register understands that the unidentified maintainer of the project subsequently resubmitted the extension without the suspicious behavior that had been cited in a GitHub issues post. That version, 7.1.9, is presently available through the Chrome Web Store and is presumably safe enough that Google considers the matter closed.
However, the concerns raised haven’t really been resolved because the software community hasn’t figured out how to transfer trust when a project like this widely used extension is transferred to a new owner.
The Great Suspender add-on, which claims over two million users (though Chrome Web Store stats are notoriously easy to manipulate), was sold by creator Dean Oemcke to an unidentified party in June, 2020. The terms of the deal have not been disclosed. The current GitHub account hosting the code, greatsuspender, offers no clue as to the owner’s identity and no means of contact, apart from a support email address listed on extensions Chrome Web Store page.
The Register tried to contact the current owner and former owner by email, and we’ve yet to receive a response. The extension claims it can “make your computer run smoothly by suspending the tabs you aren’t using.”
Since the ownership transfer, there have been dozens of code changes committed to the add-on’s GitHub repository, and at least two new versions (7.1.8 and 7.1.9) have been released through the Chrome Web Store and distributed to users automatically, a behavior some consider to be a bug.
But those releases aren’t listed in the project repo, where the latest official release still looks to be 7.1.6. It’s possible to see the individual git commits made since then, and piece together what may be inside 7.1.8 and 7.1.9, by doing some digging. Ordinarily, developers summarize the contents of new versions in public release notes on their repos, to help people understand what alterations to the code have been made.
The issue with Great Suspender appears to have been the use of an open-source analytics package, Open Web Analytics (OWA), in conjunction with remote scripts and a CDN – the concern was that user information was being spirited away.
As one user wrote, “The extension was sold to an unknown party. This entity has ‘updated’ the extension to v7.1.8 w/o publishing changes to Github. It is calling remote scripts and using remote tracking analytics, sending user information somewhere w/o user knowledge.”
The current version, v7.1.9, doesn’t contain the script in question, possibly a consequence of v.7.1.8 being blocked by Microsoft Edge.
But this may be a matter that goes beyond the privacy abuse that has become commonplace on the web. Other internet users claim that portions of the extension code show similarities to other extensions associated with malware and cryptomining.
Google Chrome’s crackdown on ad blockers and browser extensions, Manifest v3, is now available in beta
The Register asked Josh Manders, a developer working on a hosting platform called Primcloud, why he had expressed concern about the extension. He explained that while no one had identified specific malicious behavior, it’s just too suspicious that the new owner went silent and that the only change since then was to add new analytics tracking code in a way that’s not evident in the repo.
Manders said during his research into the extension and associated internet domains, he found numerous links to other extensions that have been bought and replaced with malware. He said he suspects the owner intends to wait for the online controversy to die down and then subvert the code through further changes.
This acquire-and-subvert threat model has been seen before in open source projects like Nano Adblocker.
Developer Thibaud Colas came to a similar conclusion on Monday after analyzing the extension code and noting several inconsistencies, like the inclusion of a hard-coded siteId in the removed OWA tracking script that belongs to a different extension.
“The script currently served by those domains does look like an innocuous Open Web Analytics tracker script,” Colas said.
“It could well be selectively serving the innocuous script, and on occasion switch over to a more malicious payload. Or it really could just be added tracking. Based on the association with those other extensions, I’d expect TGS will eventually switch to have a similar business model – stay low-profile long enough so people here move on, then cash in on whoever is left unaware of the change of direction.”
On Tuesday, he revised his assessment, noting that the now removed OWA script is “not Open Web Analytics, but another application trying to pass for it.” That’s generally not a good sign.
The Register asked Google whether it plans to implement any measures to help make it easier for people to understand who maintains Chrome extensions and to understand code changes that have been made. We’ve not heard back. ®
READ MORE HERE