I run a website called Uploader window (www.uploader.win) that helps users to add an upload widget to their own apps or websites.<p>This morning I got a message from google that my site has been blocked for being Deceptive and it has listed my homepage as the deceptive URL. Anybody who will open the site gets a big red screen with a warning.<p>I've checked the source code by hand and everything I could check and I can't find any reason for hack or any security issues.<p>The only possible reason I can think off is we have a demo on our homepage which allows users to upload test files to try out the uploader and we offer a 20MB test space to help users during development. All test files are deleted after 24 hours. I have also disabled both these features since. But Google didn't say if this was the cause.<p>I've submitted a review to Google but not sure how long it will take.<p>We have a paying customers and all sites which have our script are now showing this warning too.<p>I am feeling super helpless and super scared how this is going to affect them.<p>Do you know of any way I can expidite the review? Any thing you can suggest to help me?
Hey guys! Great news.<p>Looks like Google just removed us from the blacklist. Maybe somebody from Google saw this or maybe I got reviewd quickly but I couldn't be happier.<p>Here are a few things I did<p>- Removed all inline images (As mentioned in my other comments a lot of virus sites were tagging me base64 embedded due to inline images)<p>- Disabled test uploads for now. I will probably make the test file expire after 2 mins and never host them on the same domain<p>- Moving the external scripts to another domain. You never know what can get you blacklisted so best to keep customer facing part separate from main domain.<p>I cannot be more thankful to all the people who replied and offered suggestions. You guys rock!<p>P.S. In case you guys still seeing the red screen of death, please let me know.
You say "All test files are deleted after 24 hours.", that implies to me that files people upload _could_ be downloaded too.<p>If that is the case, that is where you are vulnerable. Free hosting of a file at a trusted domain is worth something.<p>If people are not intended to be able to download their test files, check your logs, someone might have found a way around it.<p>That's the best I can think of.
First and foremost, host the hosted script that you let users use on a different domain - especially if you're letting random people upload random files to your primary domain!
I'd report it as incorrect, but I can't even ignore the warning (Firefox, clicking proceed anyway just pops up an additional 'deceptive site' banner that follows me even after navigation away /shrug) - so I can't really justifiabally report it sight unseen.<p>Where does the upload go when your customers use it on their site though? Maybe what's deceptive is that if HN shows an upload area in an iframe or whatever, and I upload something, I expect that I'm giving it to HN, but really it's gone straight to you at Uploader.win?<p>(Fwiw I also think uploader.win is not a great name, your search result looks like it's a good tool, but the name sounds sort of scammy, like the kind of thing you'd get if you searched 'free download exe' or something.)
I just had a look on Ahrefs and couldn't notice anything weird.<p>One thing I did notice, is that you have your jpg's inline. McAfee and other virus protection apps are completely trigger happy anytime you encode a substantial amount of "code" (yes it's an image). I would try removing the inline images and linking them and see if that makes any difference.
Is Search Console giving any useful info?<p>FYI your domain seems to be blacklisted by Firefox, McAfee, Sophos among others [0]<p>[0] <a href="https://www.virustotal.com/gui/url/e75b77237f60332ef78b2399cfc49cbc9084d16498c93fef5a6ef9806b7f8159/detection" rel="nofollow">https://www.virustotal.com/gui/url/e75b77237f60332ef78b2399c...</a>
I don't really know any way around other than that we can report the incorrect phishing warning here:<p><a href="https://safebrowsing.google.com/safebrowsing/report_error/?url=http%3A%2F%2Fwww.uploader.win%2F&hl=en-US" rel="nofollow">https://safebrowsing.google.com/safebrowsing/report_error/?u...</a>
You domain name confused me when I first saw it : uploader.win seems related to Windows at first sight.
Whereas your product has nothing to do with Windows.
Something like [catchy-unique-name]-uploader.[com/io/app] seems less misleading.
Obviously you're a small business and this isn't a feasible option, but I wonder if you had a case to sue Google for libel.<p>They're telling people that your business is dangerous and could harm them.