Why hashing a seed to generate a key and using chaining to get the rest of key matterial is not secure?

Here, an user says about using a seed to generate a key that is larger than the digest size:

"Do not use hash chaining: that's a bad way of constructing a key derivation function from a hash. If the output is H(S) || H(S||H(S)) || H(S||H(S||H(S))) || …, then it's possible to reconstruct the whole output from the first n bytes where n is the length of the hash. How bad this is depends on how you're using the output material, but even if it's not completely broken, it's less secure than it could be with the same level of complexity and performance."

H is the hash, S is the seed.

I would like to know why this applies to chaining used in that case.

If the output is H(S) || H(S||H(S)) || H(S||H(S||H(S))) || …, then it's possible to reconstruct the whole output from the first n bytes where n is the length of the hash.

I don't believe that the Gilles is correct at this point; for a standard cryptographical hash function (e.g. SHA-256), it is usually not possible in general to predict $H(S || X)$ from $X$, $H(S)$; this remains true even if we give the attacker a long series of $(X', H(S || X'))$ pairs.

And, the only reason I say that it is "usually" not possible (rather than give a blanket statement) is the existence of length extension attacks that apply to some hash functions (including SHA-256); there, it may be possible (but only if $S$ had the right length and the bits in $X$ happened to be the correct values - not likely in this case). And, these length extension attacks do not apply to other hash functions, such as SHA-3.