Also the update wants massive new rights to read/modify all web data. As I do not see any commit related to this I uninstalled the app for now. Is there any official statement about this?

I lost all my open tabs too.

The reason is that since there are additional permissions, Chrome disables the extension as a security measure till we enable it manually. And since it disables the extension, it also closes all the tabs of the extension, i.e. all tabs suspended by the extension.

322 seems to be the actual reason.

The solution, for now, is to allow the permissions, and enable the extension. Then go to this link (chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/history.html) and restore the last saved session from there.

The correct thing to do, for the developers, would have been to add the new permissions as optional in the manifest. Then open the options page on update, and prompt for permission from there. This wouldn't make Chrome disable the extension (thus closing all tabs), and make the transition easier for users.

That did not work, chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/history.html gave me a 404. I have uninstalled the extension, since I really can't afford to have something that will delete my data without notice.

@mcamou Do you have the extension enabled?

If so, go to extension's settings/options, then to Session Management, and restore from there.

The updated feature is good, but I wished there was a warning before this major changes. The history from the extension contains only tabs, no "windows", so all my suspended tabs goes into 1 window, had to manually sort them out. Imagine this happened in the middle of work, when we needed those tabs as soon as possible.

Im not sure what is going on. panic stations! i have lost control of the extension from the chrome developer dashboard. v6.22 does not even exist. i had no hand in this getting forced upon users.
i will update here when i know more :(

Oh my God...
Hopefully will get thing done
really love the extention
maybe it is use by someone to steal user info?

I'm in contact with Google and they're helping me resolve the issue. Fingers crossed I'll have it back soon.
I've checked the code of the new version that has been pushed to the webstore. There is nothing malicious in it, just a version number change. I think the huge storm of activity is due to everybody suddenly being forced to update. It's something I had deliberately avoided doing for exactly this reason. It's a real shame, and the blame ultimately falls on me for allowing my developer account to be compromised.
Huge apologies to everyone affected by this. I'll try to work out the best way to get the message out to the non-github community.

Bravo

Maybe the new extension does not have malicious code in it, but once the users have accepted the new authorizations requested, and with the account in the hands of an unknown developer, it's just a matter of time when malicious code will start appearing.
Fortunately when I saw the new unjustified authorization requests I turned to github to see if they were genuine. But how many users will do this?
Please spread the word...

as the author explains finally: what he needs to "change all user data on all websites" ??? This is simply not acceptable !!! Because it gives the author access to passwords and personal data !!! Why so abuse the trust of users ??? And most importantly - this writer does not speak a word !!! WHY?!?

@romario300 see the author's (@deanoemcke) replies above

Thank you my friend, who answered! ))
But if that happened attackers broke Developer account, I think the author has himself everywhere wherever possible immediately notify all users that they are not updated and expand temporarily disabled until the problem is solved! Is not it?
 Because many users will not delve into the nuances and do not know that you can not in any case allow any expansion modify all user data on sites (eg I did not previously know) !!! So many people do not understand and permit attackers!
 This author also had to inform people as soon as possible! Is not it? Instead, the author sat quietly until many users have begun to ask about it! Is not that surprising?

Chrome is automatically disabling the extension, which causes all tabs with it to suddenly be closed. Scary and confusing; wish Chrome showed a notification for it. Checking the Extensions window, it shows "This extension contains a serious security vulnerability." under The Great Suspender.

@deanoemcke thank you for watching our backs, I love the extension! Once it gets restored, do you know if it will be possible to recover tabs that were closed? Regardless, I'll keep using it. It's the only way my machine can handle this many tabs being open...

There is nothing malicious in it, just a version number change.

So I can re-enable and continue using it without issue?

Sitting here watching a video and suddenly 85% of my tabs disappear. I look at the extension, see it disabled with a "this contains a serious vulnerability" message.

Took for granted how much I relied on this extension, just as I did the Firefox ones (700 open tabs over there).

Gotta love Google's walled garden with forced automatic updating of extensions and no way for the user to disable it without directly editing the extension's files. Shame Mozilla went AWOL with Firefox's design and forced me to change.. never liked how Google handles things, never will.

I just had the same thing. So... the security issue is real? Or we can re-enable the extension without a problem?

Oh, well this explains what happened to my tabs.

I lucked out a bit though, since I also use Session Buddy. I was able to restore most of my suspended tabs (except for a few that i suspended before last closing my browser...), though each one just gives a 404.

I saw a mention of chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/history.html in an earlier post. Does this mean there's a way to view the history of the tabs you've suspended? That would be handy.

@deanoemcke can you confirm last safe version is 6.22?

I just got wiped out by google's disable, which was surprising and confusing, but I suspect erring on the secure side is the right move here. @deanoemcke keep us posted on any resolution / recovery steps?

@anosci Yes if you go into the extension's settings you can view recent sessions (like yesterday).

Google marking this as having a vulnerability definitely happened within the last 10 minutes. The developer said he was in contact with Google after he found out his account was compromised. I suppose this is Google's solution, for the time being.

It's really weird someone would update this, request additional permissions but only bump the version? Why wouldn't they do more than that if they had negative intent to compromise the account in the first place?

The automatic updating actually worked perfectly on my desktop: When the addon updated (to the hacked version), the tabs disappeared, but then a TGS tab opened asking if i wanted to restore the tabs that closed (under the assumption that it had crashed). They went back where they were. It was great.

Now, of course, it has been disabled, and I understand that I shouldn't enable it. Still, just thought I'd share that anecdote.

The GitHub account wasn't compromised, just the chrome extension account.
If you're using a GitHub version of the extension you should be
unaffected.

On Wed, 7 Jun 2017 at 9:38 AM, Shane Pope notifications@github.com wrote:

Was the bad update rolled out yesterday? What did it do? I can't recall
hitting approve on a new permission but I don't remember.

@sammarcus https://github.com/sammarcus how do you know they only
bumped version? Wouldn't they have put malicious stuff in on their local
machine and then bumped version on github to make it look like the latest?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/deanoemcke/thegreatsuspender/issues/512#issuecomment-306625204,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABFQeXgfJ0TG65E8MikhELR2GOe2aox5ks5sBcbogaJpZM4NwHEy
.

@deanoemcke I'm so sorry this happened to you! I was just affected by Chrome mass-disabling the extension too, and I came here for more info.

Also, consider updating the readme.md with a short notice to let people know why their extension was suddenly disabled. That should reduce the amount of confusion everyone's experiencing 😝

Best of luck working with Google to get this figured out!

@shanempope I haven't examined the code from the recent Web Store version, I was only going off of @deanoemcke comment from above.

@liamjohnston I feel confident in saying 98%+ of the people using this extension are using the version from the Chrome Web Store 😄

I hope it comes back soon. I was like WTF where my tabs are suddenly. :D
Disabled it at moment.
Most useful extension of chrome. Keep up good work!

Came here also as suddenly my tabs disappeared. Had to give a closer look to find the related issue. +1 for README.md update 😉

Got most of my tab disappearing too a few minutes ago too (with Google's disable). Could recover from 2 days ago with FreshStart (supposed to save every 5 minutes ? lol ..) & Session Buddy, but reenabling the Great Suspender extension and accessing the settings I was able to recover the most recent ones (chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/history.html).

About the version 6.22 (supposed malicious), a quick WinMerge shows 4 modified files : manifest.json, suspended.js, verified_contents.json, computed_hashes.json. Only a new (edit: empty) line in suspended.js and new version 6.22 in manifest.json, the 2 others are metadata.

Thanks for the transparency @deanoemcke :)

@Alex131089, what's the new line in suspended.js?

@jmehnle Literally an empty newline.

Thanks a lot Google: First you SILENTLY automatically update me to v6.22 out of the blue, THEN you get the bright idea to forcibly disable the extension which murders hundreds of suspended tabs out of my workflow just because you didn't give me a heads up about the updated file at time of updating (nor an option to AVOID the update)!

Well... yeah, they do that, because the update was published by someone other than the author, accessing his account illegally.

Guys, much as I appreciate the quick response from @deanoemcke we cannot take his responses to this problem as authoritative. It is more than possible that someone else has ALSO compromised his github account, and is telling everyone to "yeah go ahead and reenable it"...

Is there someone else familiar with the code who can verify that the code change was as simple and unobtrusive as claimed?

(Sorry @deanoemcke absolutely nothing against you, simply security best practice! When one thing is compromised, we can't trust anything linked to it)

@lgpmichael2 the only way you can convince yourself 100% is to check the source code for the v6.22 on your computer. this has been done by others above and they corroborate what I have stated.

@lgpmichael2 I built much of the UI. I can assure you that this is not an elaborate hoax :)

@liamjohnston Thanks for the corroboration, and my sincere apologies to @deanoemcke - I just felt we needed to be 100% sure.

@lgpmichael2 this is a fair point. adding as an additional anecdote, the great suspender twitter account (the one that tweeted today that it was safe) was just yesterday confused about someone saying the extension had been updated. I'm not sure how he can prove it's really him tweeting and writing in this thread, but I'm inclined to believe it is actually him since if it was the attacker tweeting, they wouldn't have denied there was an update.

He did also just link to this very thread just now, so if it wasn't him, I don't think he'd want to draw additional attention to it :)

@deanoemcke thanks for being responsive to this 🙏

So @deanoemcke - The Extension is back in your control completely now? Should we delete the one we see in our browsers (6.22) and just wait for you to update to 6.23 and then reinstall?

And then the Chrome Extensions page was moved at the same update. Quite a bit confusing. :-(

I guess I will wait for the security review. There could be some earlier changes that the intruder tried to put in use now. So I guess all the code need to be investigated.

The update wound up deleting the extension, not just disabling it. I lost about 250 tabs.

Is there any way to get them back?

@crsmoore the extension is now completely back under my control. i have a new version pending review. i would actually reenable v6.22. and then when the new version comes out, it will automatically update.
@lborgman there is no trace left behind of the intruder in any of the code, including the v6.22 in question. and the new release that is pending review is built 100% from this gitHub source, so won't require any investigating.

I will be getting this from git directly for the future. Recovered my tabs, though it took quite long time, computer with slow disk and more tabs than fit in memory.

@deanoemcke Even if there is no trace of code from the intruder problematic code could come from someone else. Someone cooperating with the intruder. So please review all the code.

You can see the list of commits yourself on GitHub, here. Nothing is hidden. Folks - including the author -
have supposedly done diffs with the contents of the extension and found no functional differences.

The thing I don't understand is why the extension auto-updated? According to #322 auto update wasn't enabled???? Maybe I'm missing something. Is it because the compromised version said that the extension was to be autoupdated?

@bhuvidya Exactly. A real dick move, whether they knew it or not.

So... v6.30 is safe?

Has anyone worked out how to extract the list of tabs without re-enabling the extension? It looks like the data is in ~/.config/chromium/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.leveldb/, but I can't get any leveldb tools to open that.

Going here recovered my tabs: chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/history.html

At some point once you have a full handle on everything, a formal post-mortem and mitigation strategy going forward would be appreciated from the developer/security communities.

Admitting I know very little about how code is deployed to the Chrome store & associated policies: I agree there aren't suspicious commits in this repo (I also checked), but can we be certain that the v6.22 that was auto-updated yesterday came from this repo and didn't instead come from a fork of this repo with some additional malicious code?

So your dev account was compromised, maybe the person just wanted to give a scare and expose the problem? Very strange that nothing malicious happened.

6.22 auto updated to 6.30 after I reenabled it, and then chrome disabled it yet again. There's no longer a security warning on the extensions page.

What's up? is 6.30 official or another version released by the hacker?

v6.30 is official. It's a new release I put in place to replace the compromised v6.22.

Thanks @deanoemcke for your hard work!

Indeed, thanks to @deanoemcke for the hard work and for responding so quickly!

@ahtneio did you manage to recover your tabs? hopefully now that it's live again in the webstore you can reinstall and your data will be there? sorry, i'm not sure if the indexeddb data persists over an uninstall/reinstall.
@mpe i have also been trying to access the indexeddb files directly, but with no luck. there's a promising stack overflow question on it: https://stackoverflow.com/questions/35074659/access-google-chromes-indexeddb-leveldb-outside-of-chrome

@bryannaegele i will work on a formal post-mortem as soon as i have a chance.
@Ihysoal strange as it sounds, this is actually my best guess for what happened. i'll elaborate more in the post-mortem but the attacker did not actually do anything malicious at all (google account hacking aside).

Thanks for the 6.30 update which popped up, leading to a breadcrumb trail to follow for explanations as to what has been happening recently. I too lost a whack of tabs mysteriously. Fortunately, I also have Session Buddy installed and was able to recover several windows of tabs. Others might consider loading it as well: https://chrome.google.com/webstore/detail/session-buddy/edacconmaakjimmfgnblocblbcdcpbko No affiliation, but it certainly has been useful.

I don't understand how people lost their tabs.

After it disabled itself, I re-enabled it and loaded my old session history from the extension options. There were like 6 backups + the current session. I even saved the session file just in case, but never ended up needing it.

If you fully lost your session, then I'm gonna have to say you did something weird, or I'm a lucky use-case. I have no idea.

@bhuvidya That issue is 2 years old. Auto-updating was either added since then or Chrome itself took over that function with its forced addon updating.

@DAOWAce the issue might be two years old, but the last comment by @deanoemcke was 6 days ago, where he said he'd be leaving auto-update off.

https://github.com/deanoemcke/thegreatsuspender/issues/322#issuecomment-305549277

Hey @deanoemcke thanks for getting v6.30 out there - I knew I loved this extension a lot, but I didn't realise just how much til it all went buggery-boo. Like most developers, I probably have >200 tabs on the go at any one time. There must be a support group for this kind of behaviour. :)

So wait, I don't get it- are my passwords compromised? And don't tell me "just to be safe change everything" That's like two days of work; it's infeasible. I don't care about the tabs, that's trivial. Could the hacked version get my passwords or not? Btw, chrome never disabled it automatically.

@mkrier multiple times in this thread it very clearly states — through several independent people reviewing the diffs — that your personal information was not compromised since there was no malicious code in version 6.22.

@deanoemcke thanks for handling this unfortunate situation so well 🎉

Ok I read most of it- and right now I just searched the page and only found three comments that mentioned "password" or "personal", one of which is what you just posted. And only yours provides that confirmation explicitly.

Btw this extension is awesome, I donated $5 a while back and told a friend of mine to try it and do the same. This is so great, thanks.

Thanks @deanoemcke for handling this so promptly, and for having such robust crash-recovery code even prior to version 6.x - when my tabs went AWOL, tracked down this thread and decided to just wait it out, and lo and behold got back from dinner to find the crash-recovery TGS blurb-tab open, which successfully restored everything; if I'd been as AFK-productive as I'd planned when waking up this morning, would've not even noticed the issue before it resolved,

So, I didn't realize this extension WASN'T auto-updating... anyone wanna summarize the high-points of the changelogs between 4.x and 6.3? What new features have we received as compensation for a temporary bug? Also - will autoupdate be staying enabled for the forseeable future? Can #322 get closed now?

@crafty-geek unfortunately #322 is here to stay. which probably means that v6.30 is also here to stay. the way the extension works, tabs are tied to the extension process. i have experimented with multiple ways around this, but have not come up with anything workable.

Not quite true actually. The solution is in The Great Discarder (my sister extension: https://chrome.google.com/webstore/detail/the-great-discarder/jlipbpadkjcklpeiajndiijbeieicbdh?hl=en)
This uses native chrome tab discarding instead of relocating the tab url. It has a much lighter footprint as it doesn't require content scripts or a persistent background process. It also requires much lighter permissions. And it is fully compatible with chrome tab syncing across devices. And most importantly, it doesn't lose your tabs when the extension updates!
The tradeoff is that it has much less functionality. It cannot detect if a tab contains unsaved form inputs, it cannot save a placeholder screenshot, and most annoyingly, if you return to the tab (even if you are just 'tabbing through' a discarded tab) it will reload.

The main thing I disliked about these auto updates (other than the security scare, which you've already addressed) is that they happened without restarting the browser at all -- just boom 1000+ tabs suddenly vanished (and this happened three times today alone). They weren't in the Suspender's session tracking either (at least not the first time -- most of them were in there by the second and third times), but fortunately I also have Session Buddy which managed to get back all but a few very recent ones.

If updates are going to destroy tabs, is there some way to disable updates while the browser is open? For that matter, why is this trying to bundle session management when there are already other extensions for that?

(I don't mind as much the possibility of losing tabs across browser restarts, because at least they have robust saved sessions per startup. But tab tracking during a single session can be more dicey, because you're at the mercy of whether it chooses to overwrite the session with the missing-tabs version before you notice that you've lost tabs.)

@uecasm it's a 'feature' of how google handles extension updates. there is no way to know if an update is coming, and there is no way for a user to manage that update manually. the situtation today (of multiple updates) was a rare case caused first by an unsolicited update, secondly by chrome removing the extension from the webstore, and then thirdly, from the legitimate version being installed when the extension appeared back on the webstore.

This is precisely why i had disabled automatic updates (from my end). The end user has no control over this (unless you install the extension manually from the source here on gitHub).

The reason the extension bundles session management is for this exact problem of tabs disappearing on update. In order for me to recover the lost tabs after an update, i need to keep track of the tabs currently open.

If it's possible to disable the silent-update-while-running behaviour (maybe via an option), that would be nice. Or was today just a once-off, and automatic updates are disabled again?

Regardless, maybe the "the extension has just been updated and killed all your tabs" page should have a link to the tab restoring page, with specific advice as to which thing to click on (presumably the "resuspend" link in one of the recent histories). Or it should just do that automatically as well, although that might still be annoying, since at least today it's never been completely correct (maybe that will be better in future with "normal" updates though).

It still ends up reordering tabs and opening new windows, so it probably shouldn't be automatic. But better-guided would be nice, if it's unavoidable.

Given that you have page-content-rewriting permissions anyway, would it be possible to discard the page content on suspend without actually rewriting the URL? That way the tabs shouldn't disappear with the extension. Perhaps this wouldn't release as much memory, though, and means session managers would save the unsuspended URLs if they're not taking full content snapshots. So it's not perfect, but might be better.

it cannot save a placeholder screenshot

@deanoemcke I believe saving the placeholder screenshot is still possible with The Great Discarder. Showing it is another story.

A way to save it may be to listen for autoDiscardable/discarded tabs in chrome.tabs.onUpdated, and then use chrome.tabs.captureVisibleTab to capture a screenshot.

Thanks for the great extension!

So are automatic updates now enabled or disabled?

Also, and this is a bit a shot in the dark: on my Linux machine (but not on my much faster Mac) I've been seeing an issue where I'd close unwanted (recent) tabs before quitting Chrome only to see them reopened when I relaunch the browser. Could that be in any way related to TGS's session management or some kind of interaction it has with Chrome's own session restore?

Just to say, I have to congratulate and thank @deanoemcke for his quick handling and transparency regarding this issue. Some might say it could have been better, however, as an open-source developer, he has shown commendable diligence in this.

Thanks for the updates but I have to take into account that there might have been a malicious activity because yesterday around 12:45 someone tried to login and reset my password on one of my accounts. I suspect it was because of this hack. Not 100% sure though. Just letting you know.

Agree with @mcamou about @deanoemcke's quick handling and transparency on this. Many thanks.

It would be helpful to publish a timeline of events.

On Wednesday June 07 2017 01:51:17 Denizhan wrote:

Thanks for the updates but I have to take into account that there might have been a malicious activity because yesterday around 12:45 someone tried to login and reset my password on one of my accounts. I suspect it was because of this hack. Not 100% sure though. Just letting you know.

If I understand what has been going on, that can only be related if you actually loaded the account access page in the short time window that you may have had the compromised extension installed. The fact that an attempt was made to reset your password means "they" didn't get your current password (or else they could have changed it and locked you out).

@deanoemcke just a thought, maybe there's a way to push an update which only shows what's coming next, then push the next one maybe after a week. So the user can be warn and maybe prepare before hand in case such thing happened.

I just disabled the extension on "Ignito" pages and got the "uh oh crash" page. Was that an actual crash or again something related to "the issue"?

Dear i don't understand what is the impact on the user data (username,password,browser histroy ecc..) of the thegreatsuspender's users.

i need change all password? i need to do something ?

thank you a lot and best regards

In trying to work out what had happened to all my tabs yesterday I restarted Chrome numerous times. As a result the "Recent sessions" page only shows these near-empty sessions rather than the one I actually require. Is there any way I can recover an older session / get my tabs back? Thanks.

Just lost my tabs once more and found the extension disabled on Linux.

WTH? Some kind of notification when this happens would be nice, instead of having to wonder what happened to all once's tabs...

this plagued me as well.

However, after update make sure the extension is enabled, and I was able to restore my session by going to extension's settings/options, then to Session Management, and then selecting a session to restore.

not ideal, but perfectly acceptable workaround.

not ideal, but perfectly acceptable workaround.

Less so each time you have to go through the motions again...!

Yesterday 72 tabs disappeared from my browser as if they were never there. I already had my cat punished for allegedly catwalk'ing on my keyboard. And here it is - the extension I like the most was actually to blame! Oh well :)

Just now I came home from work and woke up my laptop. And guess what! The extension auto-updated itself and restored all my tabs itself. How cool is that! Hats off to the author @deanoemcke . Really man, thank you :) Nice trick you did there! Very customer-oriented attitude.

I would like to emphasize that you people with 50+ tabs consistently suspended have _an actual problem_.

@Ihysoal what kind of problem do you mean?
Lack of support in Chrome for power users?

Want to reiterated the recommendation for Session Buddy, but also- most people don't know this- If you quit chrome form the taskbar (in windows at least) by right clicking on it, then you only get the top window restored. Whereas, if you quit it within chrome itself from the settings menu, you get all of them back. (I mean, as a general thing- not a specific issue with Suspender, I'm just saying as a general thing about chrome.)

I don't know if that's true in Ubuntu because I figured that out back when I was running windows before I made the switch. (And I'm not going to test that here lol)

@Master-1-

someone tried to login and reset my password on one of my accounts. I suspect it was because of this hack.

Chrome extensions are sandboxed to the extent that any damage would have had to come from the code we've inspected. It's been reviewed line by line and there wasn't anything malicious. So it would have had to have been something else.

It appears that this morning's update has fixed this issue - Chrome is no longer reporting a serious security vulnerability with this extension.

👍 Fantastic work @deanoemcke - absolutely spectacular turnaround on this issue! 👍

deanoemcke wrote:

_"the blame ultimately falls on me for allowing my developer account to be compromised."_

So that others could benefit from the lesson...

Please disclose the method of compromise.

@Master-1-

Thanks for the updates but I have to take into account that there might have been a malicious activity because yesterday around 12:45 someone tried to login and reset my password on one of my accounts. I suspect it was because of this hack. Not 100% sure though. Just letting you know.

Note that this can also happen if one of your suspended tabs happened to be a password reset page, and during the course of things it was reloaded unsuspended at some point. (This shouldn't be the case since password resets should use a nonce so they're invalid if the page is reloaded, but many websites don't do that, so this can indeed happen.)

so what happened today? I had 6.30 enabled, but all my tabs disappeared again, and they're not in the session manager this time. Strangely, the extension was still enabled.

Is there a file I can grab from time machine or a full backup I have to get my crap back?

Edit:
the answer is yes. the files that mattered were in the Indexeddb folder.
Here's the full path on OS X: ~/Library/Application Support/Google/Chrome/Default/IndexedDB/chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.indexeddb.leveldb

restoring that folder from my backup got me my tabs back.

@Master-1- The compromised extension did not contain any malicious code (thankfully!). I ran checks over the unsolicited release and there was no actual code changes in there. So there is no chance that this event is related to any hacking attempt you might have seen. I'm still unsure as to exactly what the intentions were of the attackers. Perhaps ownership was restored to me before they had a chance to implement whatever they had planned.

@faultylee Any update will cause loss of tabs, so it's impossible to pre-warn. And I feel like such a message would just cause general confusion anyway. I still believe that the best way to handle this going forward is to simple NEVER UPDATE the extension automatically. As long as the code is relatively bug-free then this is the best course of action for the sanity of the users.

Any update will cause loss of tabs, so it's impossible to pre-warn.

I don't see how that would be so. A warning would be useful for those users who have an independent method of saving and restoring their browsing session; they'd be forewarned.

And I feel like such a message would just cause general confusion anyway.

Make it optional. Or use something here on github that interested parties can track (subscribe to) and where you announce pending updates.

But isn't there a way around this all? As a user I can tell the extension to unsuspend all tabs, what if you make it do that before updating, so that those tabs are no longer owned by the extension? I don't know if you can detect "I'm going to be updated" events, or even "I'm going to quit" but it seems the extensions API must provide something of the sort to allow extensions to clean up after them when the user disables or removes them.

@RJVB thank you, that's what I meant.
@deanoemcke I suspect the reason those tabs are lost is that there's 2 new permission which chrome needs to request user to accept. If a "warning message" is pushed one version before like what @RJVB describe, without those new permission, then it should not have cause the tabs to be lost.

I don't meant to sound ungrateful, I'm actually grateful and happy with the extension thus far. Just looking for way to make the experience even better.

After all, I would actually blame chrome for this short coming, as it has very broad api to allow devs to do almost anything, and imposing certain feature (like autoupdate) without setting any guideline in terms of user experience

Dumb question: does Google have any policies which would prevent there
being 2 copies of the extension in the webstore, with the only substantive
difference between the two being the auto update setting? So "The greater
suspender" could warn about auto update hassles in the store description
and on first install, but allow the user to opt in to the latest features?

crafty_geek

On Jun 8, 2017 00:57, "faulty.lee" notifications@github.com wrote:

@RJVB https://github.com/rjvb thank you, that's what I meant.
@deanoemcke https://github.com/deanoemcke I suspect the reason those
tabs are lost is that there's 2 new permission which chrome needs to
request user to accept. If the a "warning message" is pushed one version
before like what @RJVB https://github.com/rjvb describe, without those
new permission, then it should not have cause the tabs to be lost.

I don't meant to sound ungrateful, I'm actually grateful and happy with
the extension thus far. Just looking for way to make the experience even
better.

After all, I would actually blame chrome for this short coming, as it has
very broad api to allow devs to do almost anything, and imposing certain
feature (like autoupdate) without setting any guideline in terms of user
experience

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/deanoemcke/thegreatsuspender/issues/512#issuecomment-307028708,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AIBYjt0mnkfCDeAHJB1wXYJIAqlmxFP7ks5sB6lvgaJpZM4NwHEy
.

@RJVB

But isn't there a way around this all? As a user I can tell the extension to unsuspend all tabs, what if you make it do that before updating, so that those tabs are no longer owned by the extension? I don't know if you can detect "I'm going to be updated" events, or even "I'm going to quit" but it seems the extensions API must provide something of the sort to allow extensions to clean up after them when the user disables or removes them.

This is exactly the issue. The API does not provide any ability to detect "Im going to be updated" or "Im going to quit". There is only a "Im going to be uninstalled" which does not help. Therefore, once again I reiterate, the only person who knows when an update is coming is me, based on when I push a new version. Even then, I cannot control when this version will be updated on a clients browser.

I could post a warning, but then how long do I wait before pushing the update? Waiting less than a day, I risk most users not getting a chance to read the warning. Waiting more than a day, I risk users forgetting about it, creating many more tabs, and then getting caught offguard when the update does happen. I'm not saying warning users is a bad idea, just that it is far from an elegant solution to the problem.

My ongoing policy with updates has always been to warn users first. However, my ongoing policy has also been never to push an update, so I've never actually had to exercise this warning.

@faultylee
The reason tabs are lost has nothing to do with elevated permissions. It is purely a consequence of the extension having to restart to perform any sort of update. As soon as an update is forced by chrome, the extension is forced to close (without warning). This causes all suspended tabs to disappear.

I have integrated some session management code which should detect this situation after the update and automatically restore these lost tabs. However, the code is not fool proof and does not work 100% of the time. And it assumes the extension remains enabled - which was not the case for a period of time during the incident recently.

@crafty-geek This has been suggested before. The idea of the Great Suspender beta which is subject to updates at the users risk.

There's nothing stopping me doing it. I don't really like the added confusion that would create on the webstore, but I might consider it if there is enough demand. You can always install the latest code from the gitHub project page so that is essentially the work-around.

@h3298 I am currently working on a post mortem of the hack and will post it as a medium article shortly.

Closing this issue as it doesn't reflect the issue title and is a bit messy. Consider this the official thread for 'fallout from the extension being compromised'

For issues related to lost tabs caused by the extension updating, please refer to this issue: https://github.com/deanoemcke/thegreatsuspender/issues/526

@deanoemcke could you please post here the postmortem URL whenever it's ready. I don't know how to find you on medium.

@x1ddos that's because i'm not on medium (yet) :)
Will post here once it's done, although I haven't started yet. I wanted to get the guide for recovering lost tabs done first (https://github.com/deanoemcke/thegreatsuspender/issues/526)

On Thursday June 08 2017 09:00:53 Dean Oemcke wrote:

This is exactly the issue. The API does not provide any ability to detect "Im going to be updated" or "Im going to quit".

So doing an update =/= uninstall + reinstall? Sounds like a missing feature someone should propose to add to the API!

So how does regular session restore work?

warning, but then how long do I wait before pushing the update? Waiting less than a day, I risk most users not getting a chance to read the warning.

A day should be fine for those of us always online (and thus probably most likely to be affected) but more will indeed allow more users to be informed. I wouldn't worry about users forgetting between the alert and the actual update; that's their problem.

@deanoemcke was curious if you ever did a write up about this now that it's all over. would be interested in hearing your insights and experience!