forked from cncf/tag-security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Exploits catalog: Document thegreatsuspender saga
I have been more descriptive for thegreatsuspender because I didn't find one good article summarizing the exact details of the exploit. Also, I wanted to bring attention to multiple red flags. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
- Loading branch information
Showing
1 changed file
with
99 additions
and
0 deletions.
There are no files selected for viewing
99 changes: 99 additions & 0 deletions
99
supply-chain-security/compromises/2020/thegreatsuspender.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| # The Great Suspender | ||
|
|
||
| The Great Suspender is a popular Chrome extension with more than 2 million users | ||
| on Google's platform alone. The extension is designed to improve the RAM usesage | ||
| of the Chrome browser by suspending tabs manually or automatically. | ||
|
|
||
| The original developer [@deanoemcke](https://github.com/deanoemcke) chose to | ||
| step back from the extension in June 2020 and sell the extension | ||
| [Upcoming changes to the management of The Great Suspender](https://github.com/greatsuspender/thegreatsuspender/issues/1175). | ||
| As a replacement maintainer, he chose an unknown entity, who controls the | ||
| single-purpose [@greatsuspender](https://github.com/greatsuspender) Github | ||
| account. There was suspicion about this change because of the complete lack of | ||
| information on the new maintainers' identity. | ||
|
|
||
| For a couple of months, the new maintainers did nothing. | ||
| In October 2020, the maintainer updated the chrome store package to version | ||
| 7.1.8. The update raised red flags for some users because the changelog was not | ||
| modified and there was no tag created in GitHub. The web store extension has | ||
| diverged from its Github source. A minor change in the manifest was now being | ||
| shipped on the chrome web store, which was not included in Github. This is a | ||
| major concern. | ||
|
|
||
| As a final red flag, no part of the web-store posting has been updated to account | ||
| for this. [@greatsuspender](https://github.com/greatsuspender) remains listed as | ||
| the maintainer, and the privacy policy makes no mention of the new tracking or | ||
| maintainer [greatsuspender privacy policy](https://greatsuspender.github.io/privacy). | ||
|
|
||
| On November 6th, [@lucasdf](https://github.com/lucasdf) discovered a smoking gun | ||
| that the new maintainer is malicious. Although OpenWebAnalytics is legitimate | ||
| software, it does not provide the files executed by the extension. Those are | ||
| hosted on the unrelated site owebanalytics.com, which turns out to be immensely | ||
| suspicious. That site was created **at the same time as the update** (see this | ||
| comment [thegreatsuspender/issue/1175#issuecomment-717656189](https://github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-717656189)). | ||
| The site contains no real information other than the tracking scripts, appears | ||
| to have been purchased with BitCoin and is only found in the context of this | ||
| extension. Most importantly, **the minified javascript differs significantly** | ||
| from that distributed by the OWA project. | ||
|
|
||
| [@thibaudcolas](https://github.com/thibaudcolas) has done a more detailed | ||
| analysis. He quickly located additional hardcoded values related to other, | ||
| confirmed malicious extensions, implying that the new maintainer is responsible | ||
| for them. He also found incredibly suspicious additional information, that makes | ||
| it clear that the extension **was not loading a modified version of OWA, but a | ||
| trojan disguised as it**. OWA has a PHP based backend, but the fakes are using | ||
| NodeJS. The trojan sets cookies, which OWA doesn't use. The response to certain | ||
| requests is a completely different type than legitimate OWA. | ||
|
|
||
| Furthermore, [@joepie91](https://github.com/joepie91) has attempted to deconstruct | ||
| the minified JS and believes that the code intercepts all requests, meaning it | ||
| can track you perfectly, and manipulates those requests, and makes | ||
| additional advertising requests. | ||
| The fact that disabling tracking still works is irrelevant given the fact that | ||
| most of the 2 million users of this extension have no idea that that option even | ||
| exists. | ||
|
|
||
| The new maintainer has never posted on any of the GitHub threads where users | ||
| share their concerns, or interacting in any way with the repository. | ||
|
|
||
| ## Impact | ||
|
|
||
| The Chrome web store says that there are 2 million downloads of the extension. | ||
| It's unclear how many of them are active users. | ||
|
|
||
| By default, all chrome extensions are automatically updated, so when the | ||
| malicious version 7.1.8 has been released most of the active users automatically | ||
| updated to it. | ||
|
|
||
| Windows Central released an article from November 23 2020 claiming that | ||
| [The Great Suspender' extension is now flagged as malware](https://www.windowscentral.com/great-suspender-extension-now-flagged-malware-edge-has-built-replacement) | ||
| on Microsoft Edge. | ||
|
|
||
| Soon after that, the unknown developer release a new update 7.1.9. | ||
| According to [@ossilator](https://github.com/ossilator) | ||
| *"The new web store release 7.1.9 does not contain the presumably malicious code | ||
| anymore, but note that the permissions in the manifest have not been revoked."* | ||
| [greatsuspender/thegreatsuspender/issues/1263](https://github.com/greatsuspender/thegreatsuspender/issues/1263#issuecomment-735409569) | ||
|
|
||
| The fact that a new version has since been pushed that disables this behavior | ||
| isn't useful because future update could reintroduce the malicious | ||
| code **without users noticing**. | ||
|
|
||
| The project can no longer be considered as **open source**, since the owner | ||
| refuses to make the source open and available for review. | ||
|
|
||
| "The Great Suspender" is still available to download at the time of writing this | ||
| (January 29, 2021) on Microsoft Edge and Chrome web stores and it's possible | ||
| that this saga will continue into the future. | ||
|
|
||
|
|
||
| ## Type of compromise | ||
|
|
||
| As the attack has been performed by an owner of `thegreatsuspender` deliberately | ||
| injecting a vulnerability into the source code, this attack can be categorized | ||
| as a `malicious maintainer` exploit. | ||
|
|
||
| ## References: | ||
|
|
||
| - [URGENT: SECURITY: New maintainer is probably malicious](https://github.com/greatsuspender/thegreatsuspender/issues/1263) | ||
| - [Ditch 'The Great Suspender' Before It Becomes a Security Risk](https://lifehacker.com/ditch-the-great-suspender-before-it-becomes-a-security-1845989664) |