Google removes malware-infected, possibly password-stealing Chrome extension

Hey, guys! How are y’all doing? Excited for Valentine’s Day or nah?

Recently, Google removed a popular Chrome extension used by millions of users worldwide from its Chrome Web Store and also took an additional step of deactivating it from current users’ computers.

Drastic? Yes. The reason? Apparently, ‘The Great Suspender’ contains malware. 

For those who do not know what The Great Suspender is, it’s a Chrome extension that suspends tabs that are unused - by replacing them with a blank gray screen - and releases its resources. This is to reduce the browser’s memory usage. So, when a user wants to use a particular unused tab, all they have to do is click on the tab to make it visible. This extension is very popular among people who have the habit of having a large number of tabs open at the same time. 

Now that we know what The Great Suspender is, let’s understand what’s happened here. 

                 

Why the drastic move by Google?

According to Google, on top of being infected with a malware, The Great Suspender contains features that, if exploited, can allow arbitrary code execution from a remote server. This will give way for hackers to track users online and commit advertising fraud. According to unconfirmed reports on social news site Reddit, malicious codes had been introduced to siphon passwords from those who trusted the application. 

Therefore, this extension is now blocked and all mentions of it on the Google Chrome web store now result in Error 404.

Users with Microsoft Edge and Opera installed on their machines will also be notified about the malware concerns with the extension. Both of these rival web browsers are built on the same open-source Chromium code as Google Chrome, so are capable of running the ‘The Great Suspender’, too.

What does the GitHub community say about this?

Some chatter on GitHub states that this extension has been noted to be up to no good since November 2020 and that Microsoft had picked up on this extension’s shady behaviour that led to the block of The Great Suspender (v7.1.8) on Edge browsers last year. 

According to the Register, Dean Oemcke (also known as deanoemcke on GitHub), the extension’s original developer apparently sold the extension to an unknown entity in June 2020. This change of ownership was immediately followed by 2 new versions that were released directly to users via the Chrome Web Store (7.1.8 and 7.1.9) and were not published to GitHub. 

Known as TheMageKing on GitHub, this is what Calum McConnell said in a post

“The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more.”

How are users reacting to this?

They’re unhappy! 

Many users took to GitHub to state their disappointment. This is due to the abruptness of removing such a popular and widely used extension that has caused many users to lose their tabs. 

There are 2 ways out of this mess, though. Users can either recover their tabs using this workaround or use the latest version of this extension (v7.1.6) found on GitHub by enabling Chrome Developer mode. 

However, enabling Chrome Developer mode brings us to another problem altogether. 

In a novel method disclosed by security researcher Bojan Zdrnja, Chrome’s ‘Sync’ feature allows threat actors to bypass firewalls and establish connections to attacker-controlled servers for data exfiltration. In the incident which led to this disclosure, the attackers created an infected security add-on that pretended to be Forcepoint Endpoint Chrome Extension for Windows, which was then installed directly on the browser after enabling Chrome Developer mode.

Zdrnja says: 

“While there are some limitations on size of data and amount of requests, this is actually perfect for C&C commands (which are generally small), or for stealing small, but sensitive data – such as authentication tokens.”

However, since this attack requires physical access to target machines, it falls outside of Google’s threat model and therefore, highly unlikely to be resolved by Google. 

Are there any alternatives to The Great Suspender?

Session Buddy and OneTab are other extensions that do similar things to The Great Suspender. For users who prefer paid service, Partizion is a good way to go about it. 

Personally, I just think we all should save ourselves the hassle and limit the number of open tabs!


That’s it for today’s blog, y’all! Feel free to drop comments and share this blog if you found it useful. 

Stay safe and stay tuned. 

Until next time, friends!

Credits: The Hacker News & Express
Comments are closed