Chrome Web Store update -> lost all tabs #512
Comments
|
Also the update wants massive new rights to read/modify all web data. As I do not see any commit related to this I uninstalled the app for now. Is there any official statement about this? |
|
I lost all my open tabs too.
The solution, for now, is to allow the permissions, and enable the extension. Then go to this link (chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/history.html) and restore the last saved session from there.
|
|
That did not work, chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/history.html gave me a 404. I have uninstalled the extension, since I really can't afford to have something that will delete my data without notice. |
|
@mcamou Do you have the extension enabled? If so, go to extension's settings/options, then to |
|
The updated feature is good, but I wished there was a warning before this major changes. The history from the extension contains only tabs, no "windows", so all my suspended tabs goes into 1 window, had to manually sort them out. Imagine this happened in the middle of work, when we needed those tabs as soon as possible. |
|
Im not sure what is going on. panic stations! i have lost control of the extension from the chrome developer dashboard. v6.22 does not even exist. i had no hand in this getting forced upon users. |
|
Oh my God... |
|
I'm in contact with Google and they're helping me resolve the issue. Fingers crossed I'll have it back soon. |
|
Bravo |
|
Maybe the new extension does not have malicious code in it, but once the users have accepted the new authorizations requested, and with the account in the hands of an unknown developer, it's just a matter of time when malicious code will start appearing. |
|
as the author explains finally: what he needs to "change all user data on all websites" ??? This is simply not acceptable !!! Because it gives the author access to passwords and personal data !!! Why so abuse the trust of users ??? And most importantly - this writer does not speak a word !!! WHY?!? |
|
@romario300 see the author's (@deanoemcke) replies above |
|
Thank you my friend, who answered! )) |
|
Chrome is automatically disabling the extension, which causes all tabs with it to suddenly be closed. Scary and confusing; wish Chrome showed a notification for it. Checking the Extensions window, it shows "This extension contains a serious security vulnerability." under The Great Suspender. @deanoemcke thank you for watching our backs, I love the extension! Once it gets restored, do you know if it will be possible to recover tabs that were closed? Regardless, I'll keep using it. It's the only way my machine can handle this many tabs being open... |
So I can re-enable and continue using it without issue? Sitting here watching a video and suddenly 85% of my tabs disappear. I look at the extension, see it disabled with a "this contains a serious vulnerability" message. Took for granted how much I relied on this extension, just as I did the Firefox ones (700 open tabs over there). Gotta love Google's walled garden with forced automatic updating of extensions and no way for the user to disable it without directly editing the extension's files. Shame Mozilla went AWOL with Firefox's design and forced me to change.. never liked how Google handles things, never will. |
|
I just had the same thing. So... the security issue is real? Or we can re-enable the extension without a problem? |
|
Oh, well this explains what happened to my tabs. I lucked out a bit though, since I also use Session Buddy. I was able to restore most of my suspended tabs (except for a few that i suspended before last closing my browser...), though each one just gives a 404. I saw a mention of chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/history.html in an earlier post. Does this mean there's a way to view the history of the tabs you've suspended? That would be handy. |
|
@deanoemcke can you confirm last safe version is 6.22? |
|
I just got wiped out by google's disable, which was surprising and confusing, but I suspect erring on the secure side is the right move here. @deanoemcke keep us posted on any resolution / recovery steps? |
|
@anosci Yes if you go into the extension's settings you can view recent sessions (like yesterday). |
|
Google marking this as having a vulnerability definitely happened within the last 10 minutes. The developer said he was in contact with Google after he found out his account was compromised. I suppose this is Google's solution, for the time being. It's really weird someone would update this, request additional permissions but only bump the version? Why wouldn't they do more than that if they had negative intent to compromise the account in the first place? |
|
The automatic updating actually worked perfectly on my desktop: When the addon updated (to the hacked version), the tabs disappeared, but then a TGS tab opened asking if i wanted to restore the tabs that closed (under the assumption that it had crashed). They went back where they were. It was great. Now, of course, it has been disabled, and I understand that I shouldn't enable it. Still, just thought I'd share that anecdote. |
|
The GitHub account wasn't compromised, just the chrome extension account.
If you're using a GitHub version of the extension you should be
unaffected.
…On Wed, 7 Jun 2017 at 9:38 AM, Shane Pope ***@***.***> wrote:
Was the bad update rolled out yesterday? What did it do? I can't recall
hitting approve on a new permission but I don't remember.
@sammarcus <https://github.com/sammarcus> how do you know they only
bumped version? Wouldn't they have put malicious stuff in on their local
machine and then bumped version on github to make it look like the latest?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#512 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABFQeXgfJ0TG65E8MikhELR2GOe2aox5ks5sBcbogaJpZM4NwHEy>
.
|
|
@deanoemcke I'm so sorry this happened to you! I was just affected by Chrome mass-disabling the extension too, and I came here for more info. Also, consider updating the readme.md with a short notice to let people know why their extension was suddenly disabled. That should reduce the amount of confusion everyone's experiencing 😝 Best of luck working with Google to get this figured out! |
|
@shanempope I haven't examined the code from the recent Web Store version, I was only going off of @deanoemcke comment from above. @liamjohnston I feel confident in saying 98%+ of the people using this extension are using the version from the Chrome Web Store 😄 |
|
I hope it comes back soon. I was like WTF where my tabs are suddenly. :D |
|
Came here also as suddenly my tabs disappeared. Had to give a closer look to find the related issue. +1 for README.md update 😉 |
|
|
|
Just lost my tabs once more and found the extension disabled on Linux.
WTH? Some kind of notification when this happens would be nice, instead of having to wonder what happened to all once's tabs...
|
|
this plagued me as well. However, after update make sure the extension is enabled, and I was able to restore my session by going to extension's settings/options, then to Session Management, and then selecting a session to restore. not ideal, but perfectly acceptable workaround. |
|
not ideal, but perfectly acceptable workaround.
Less so each time you have to go through the motions again...!
|
|
Yesterday 72 tabs disappeared from my browser as if they were never there. I already had my cat punished for allegedly catwalk'ing on my keyboard. And here it is - the extension I like the most was actually to blame! Oh well :) Just now I came home from work and woke up my laptop. And guess what! The extension auto-updated itself and restored all my tabs itself. How cool is that! Hats off to the author @deanoemcke . Really man, thank you :) Nice trick you did there! Very customer-oriented attitude. |
|
I would like to emphasize that you people with 50+ tabs consistently suspended have an actual problem. |
|
@Ihysoal what kind of problem do you mean? |
|
Want to reiterated the recommendation for Session Buddy, but also- most people don't know this- If you quit chrome form the taskbar (in windows at least) by right clicking on it, then you only get the top window restored. Whereas, if you quit it within chrome itself from the settings menu, you get all of them back. (I mean, as a general thing- not a specific issue with Suspender, I'm just saying as a general thing about chrome.) I don't know if that's true in Ubuntu because I figured that out back when I was running windows before I made the switch. (And I'm not going to test that here lol) |
Chrome extensions are sandboxed to the extent that any damage would have had to come from the code we've inspected. It's been reviewed line by line and there wasn't anything malicious. So it would have had to have been something else. |
|
It appears that this morning's update has fixed this issue - Chrome is no longer reporting a serious security vulnerability with this extension. 👍 Fantastic work @deanoemcke - absolutely spectacular turnaround on this issue! 👍 |
|
deanoemcke wrote: "the blame ultimately falls on me for allowing my developer account to be compromised."So that others could benefit from the lesson... Please disclose the method of compromise. |
ghost
mentioned this issue
Note that this can also happen if one of your suspended tabs happened to be a password reset page, and during the course of things it was reloaded unsuspended at some point. (This shouldn't be the case since password resets should use a nonce so they're invalid if the page is reloaded, but many websites don't do that, so this can indeed happen.) |
|
so what happened today? I had 6.30 enabled, but all my tabs disappeared again, and they're not in the session manager this time. Strangely, the extension was still enabled. Is there a file I can grab from time machine or a full backup I have to get my crap back? Edit: restoring that folder from my backup got me my tabs back. |
|
@Master-1- The compromised extension did not contain any malicious code (thankfully!). I ran checks over the unsolicited release and there was no actual code changes in there. So there is no chance that this event is related to any hacking attempt you might have seen. I'm still unsure as to exactly what the intentions were of the attackers. Perhaps ownership was restored to me before they had a chance to implement whatever they had planned. @faultylee Any update will cause loss of tabs, so it's impossible to pre-warn. And I feel like such a message would just cause general confusion anyway. I still believe that the best way to handle this going forward is to simple NEVER UPDATE the extension automatically. As long as the code is relatively bug-free then this is the best course of action for the sanity of the users. |
|
Any update will cause loss of tabs, so it's impossible to pre-warn.
I don't see how that would be so. A warning would be useful for those users who have an independent method of saving and restoring their browsing session; they'd be forewarned.
And I feel like such a message would just cause general confusion anyway.
Make it optional. Or use something here on github that interested parties can track (subscribe to) and where you announce pending updates.
But isn't there a way around this all? As a user I can tell the extension to unsuspend all tabs, what if you make it do that before updating, so that those tabs are no longer owned by the extension? I don't know if you can detect "I'm going to be updated" events, or even "I'm going to quit" but it seems the extensions API must provide something of the sort to allow extensions to clean up after them when the user disables or removes them.
|
|
@RJVB thank you, that's what I meant. I don't meant to sound ungrateful, I'm actually grateful and happy with the extension thus far. Just looking for way to make the experience even better. After all, I would actually blame chrome for this short coming, as it has very broad api to allow devs to do almost anything, and imposing certain feature (like autoupdate) without setting any guideline in terms of user experience |
|
Dumb question: does Google have any policies which would prevent there
being 2 copies of the extension in the webstore, with the only substantive
difference between the two being the auto update setting? So "The greater
suspender" could warn about auto update hassles in the store description
and on first install, but allow the user to opt in to the latest features?
crafty_geek
…On Jun 8, 2017 00:57, "faulty.lee" ***@***.***> wrote:
@RJVB <https://github.com/rjvb> thank you, that's what I meant.
@deanoemcke <https://github.com/deanoemcke> I suspect the reason those
tabs are lost is that there's 2 new permission which chrome needs to
request user to accept. If the a "warning message" is pushed one version
before like what @RJVB <https://github.com/rjvb> describe, without those
new permission, then it should not have cause the tabs to be lost.
I don't meant to sound ungrateful, I'm actually grateful and happy with
the extension thus far. Just looking for way to make the experience even
better.
After all, I would actually blame chrome for this short coming, as it has
very broad api to allow devs to do almost anything, and imposing certain
feature (like autoupdate) without setting any guideline in terms of user
experience
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#512 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AIBYjt0mnkfCDeAHJB1wXYJIAqlmxFP7ks5sB6lvgaJpZM4NwHEy>
.
|
This is exactly the issue. The API does not provide any ability to detect "Im going to be updated" or "Im going to quit". There is only a "Im going to be uninstalled" which does not help. Therefore, once again I reiterate, the only person who knows when an update is coming is me, based on when I push a new version. Even then, I cannot control when this version will be updated on a clients browser. I could post a warning, but then how long do I wait before pushing the update? Waiting less than a day, I risk most users not getting a chance to read the warning. Waiting more than a day, I risk users forgetting about it, creating many more tabs, and then getting caught offguard when the update does happen. I'm not saying warning users is a bad idea, just that it is far from an elegant solution to the problem. My ongoing policy with updates has always been to warn users first. However, my ongoing policy has also been never to push an update, so I've never actually had to exercise this warning. |
|
@faultylee I have integrated some session management code which should detect this situation after the update and automatically restore these lost tabs. However, the code is not fool proof and does not work 100% of the time. And it assumes the extension remains enabled - which was not the case for a period of time during the incident recently. |
|
@crafty-geek This has been suggested before. The idea of the Great Suspender beta which is subject to updates at the users risk. There's nothing stopping me doing it. I don't really like the added confusion that would create on the webstore, but I might consider it if there is enough demand. You can always install the latest code from the gitHub project page so that is essentially the work-around. |
|
@h3298 I am currently working on a post mortem of the hack and will post it as a medium article shortly. |
|
Closing this issue as it doesn't reflect the issue title and is a bit messy. Consider this the official thread for 'fallout from the extension being compromised' For issues related to lost tabs caused by the extension updating, please refer to this issue: #526 |
|
@deanoemcke could you please post here the postmortem URL whenever it's ready. I don't know how to find you on medium. |
|
On Thursday June 08 2017 09:00:53 Dean Oemcke wrote:
This is exactly the issue. The API does *not* provide any ability to detect "Im going to be updated" or "Im going to quit".
So doing an update =/= uninstall + reinstall? Sounds like a missing feature someone should propose to add to the API!
So how does regular session restore work?
warning, but then how long do I wait before pushing the update? Waiting less than a day, I risk most users not getting a chance to read the warning.
A day should be fine for those of us always online (and thus probably most likely to be affected) but more will indeed allow more users to be informed. I wouldn't worry about users forgetting between the alert and the actual update; that's their problem.
|
|
@deanoemcke was curious if you ever did a write up about this now that it's all over. would be interested in hearing your insights and experience! |
and others
I have installed The Great Suspender from the Chrome Web Store. From what I read here, automatic updates should be disabled, but... a few minutes ago it auto-updated and I lost >50 tabs :( I don't know if this can be fixed, but at least a warning when installing (and even in the "Tab suspended" screen) would be appreciated.
The text was updated successfully, but these errors were encountered: