Was there any suspicious code in v7.1.6 of TGS?

[iam-Shashank]

Great work on the fork!

Just wanted to alert/ask you whether you've inspected the 7.1.6 code which you forked for any potential malicious code. Asking this as it was indicated in this issue comment of TGS.

The allegation is that even back in May, work had already started on this. They mention another issue from May for the full context . So, please verify in case you weren't aware of this :)

[u18030247]

Thanks for the fork @gioxx , I am not a developer, but I have a code-related question:

Per this comment:

I can confirm with confidence that the code in the Marvelous Suspender chrome package matches that on Github, but they made some pretty extensive changes in their fork (at least from a lines-changed perspective), and I don't have the time to review them all. I am willing to bet there is a very good reason for all their changes, but I simply don't have the time to look at them now closely enough to say "Yes, it's secure, everyone go use it".

Let's ask about the obvious elephant in the room, is it safe to use Marvellous Suspender? Because is not exactly a fork of 7.1.6(7.1.8?) with tracking code removed (like thegreatsuspender-notrack). However, the latter one (thegreatsuspender-notrack) the author sound like 'use it at your own risk' in the README:

This work carries no guarantees only to the best of my ability in 2 hours using notepad2 & AstroGrep. I am not a developer and do not intend to spend much time keeping this extension updated.

So that raised my question above, will the developer explain in layman's term (doesn't need to be extensive, just for assurance) what did you change in this fork and is it safe to use it without the worry of information theft/tracking/password theft/etc. ?

Honestly, I am bit surprised no one has asked about this. Guess that's why I am here.

[luke-jr]

Comparing the various forks, I was a bit disturbed by some of the tracking code in 7.1.6, but I didn't look into it too deeply.

(FWIW, I, too, concluded that I didn't have time to review all 20000+ lines of code changed by MarvellousSuspender)

[Technetium1]

I have looked at the entirety of the changes here and have concluded nothing within is suspicious. I plan to use this myself as soon as the CSP is cleaned up and this issue is resolved. This issue was solved quickly, so I expect the CSP to also be altered in a reasonable amount of time. Aside from that lone issue, everything looks perfectly fine to use. Once the above issue is resolved, I will move over from https://github.com/aciidic/thegreatsuspender-notrack

[iam-Shashank]

@u18030247 the notrack one is a fork of 7.1.8 not 7.1.6 (that's why im not using that fork). it's mentioned in their Readme, so kindly correct it before it gets confusing for someone else :)

Let's ask about the obvious elephant in the room, is it safe to use Marvellous Suspender? Because is not exactly a fork of 7.1.6 with tracking code removed (like thegreatsuspender-notrack).

[u18030247]

@u18030247 the notrack one is a fork of 7.1.8 not 7.1.6 (that's why im not using that fork). it's mentioned in their Readme, so kindly correct it before it gets confusing for someone else :)

Let's ask about the obvious elephant in the room, is it safe to use Marvellous Suspender? Because is not exactly a fork of 7.1.6 with tracking code removed (like thegreatsuspender-notrack).

Sure, I read it from this issue and it looks like it's a fork of 7.1.6:

If you enjoy using the extension, and wish to continue using it as it was, download the source code from the Github repository (version 7.1.6), enable developer mode, select "Load unpacked extension", and point it at the /src directory. Bam! You are now running The Great Suspender as @deanoemcke created it. @aciidic has gone further, creating a new repository not under the control of the old maintainer, and with all tracking code removed, here

I don't think 7.1.8 is anywhere on GitHub, but I will edit this one.

[iam-Shashank]

I got the 7.1.8 reference from here.
But yeah, I forgot that 7.1.8 doesn't exist on github, maybe the no-track author got it from somewhere else like this. Anyways. personally i am not using that one, more likely to use this one (marvellous). for now, using v7.1.6 from local source files

[luke-jr]

Anyone with v7.1.8 installed could get the source code from their own Chromium files.

[Technetium1]

I have looked at the entirety of the changes here and have concluded nothing within is suspicious. I plan to use this myself as soon as the CSP is cleaned up and this issue is resolved. This issue was solved quickly, so I expect the CSP to also be altered in a reasonable amount of time. Aside from that lone issue, everything looks perfectly fine to use. Once the above issue is resolved, I will move over from aciidic/thegreatsuspender-notrack

Since this comment I have looked at literally all of the code at this point bff2ec8 and I'm satisfied in terms of security. I suppose this is the closest you're going to get to an independent audit for free.

[fastfedora]

I went through this compare highlighting the differences between the current master branch of thegreatsuspender (GS) and the master branch of MarvelousSuspender (MS). While there's a lot of lines changes, most of it is UI text & translations.

From my review, it looked like MS removed the Google Analytics tracking code and the ability to clean ads from screenshots taken before a tab is suspended. There were a few other changes that looked like bug fixes or minor enhancements since then, but nothing that looked suspicious.

That said, I did not do a full review of the codebase, and the MS fork is based on the GS master branch. So anything that was malicious in that that wasn't removed is still here. But it appears to be at least as safe as aciidic/thegreatsuspender-notrack and potentially safer, which only removed the Google Analytics tracking code.

Note that while the latest tag in GS is v7.1.6, the master branch has an extension version number of 7.1.8 and both MS and aciidic/thegreatsuspender-notrack appear to be off this version. From a cursory glance, this does not appear to be the malicious version 7.1.8 released to the Chrome Store, since it doesn't appear to have references to OWA, which is where the hack came in.

[aciidic]

That said, I did not do a full review of the codebase, and the MS fork is based on the GS master branch. So anything that was malicious in that that wasn't removed is still here. But it appears to be at least as safe as aciidic/thegreatsuspender-notrack and potentially safer, which only removed the Google Analytics tracking code.

Note that while the latest tag in GS is v7.1.6, the master branch has an extension version number of 7.1.8 and both MS and aciidic/thegreatsuspender-notrack appear to be off this version. From a cursory glance, this does not appear to be the malicious version 7.1.8 released to the Chrome Store, since it doesn't appear to have references to OWA, which is where the hack came in.

I forked from v7.1.8 as it contained extra functionality over v7.1.6; specifically, I was interested in the ability to configure the plugin using the Windows Registry (see README.md).

The process I went through, as well as removing all analytics/tracking code, was to also remove any functions which interacted with unknown/untrusted/suspicious external URLs - including the removal of a bit of code in this plugin which had the ability to load data from an external source and appeared to have been created for the developer to send messages to plugin users, though maybe there's more to it - I didn't dig too deep, I simply removed it entirely.

[luke-jr]

One thing I noticed was the removal of upgrade-related code. Will these forks cleanly upgrade without restarting the browser?