Hey HN. Posting this here in the hope that someone who can help sees this. I work on security and compliance at Buffer. A couple of hours ago, Google blocked our entire domain start.page and now shows the "The site ahead may contain harmful programs" warning when trying to visit any subdomain.<p>start.page is the primary domain for hosting Buffer's link page product. Eg: https://buffer.start.page . About 24 hours ago, a spammer created a start page which <i>linked to</i> a .rar malware file hosted on Google drive. We did not host the file. Just carried a link to it.<p>That page was detected during our routine content moderation this evening but it had also been reported to Google. We have removed the content at this time and submitted the start.page domain to Google's review process.<p>In the meantime however, instead of blocking the individual subdomain that had linked to the malware, Google has blocked our entire domain start.page which means that all valid customers are also affected by this. Any customer start page visited on desktop/android now shows the scary red screen warning.<p>Reaching out on HN right now to see if there's anyone at all on Google who can help expedite the review process so that our customers aren't further affected by this.<p>Also, if anyone from Google sees this I can further help by sharing information to the linked google drive file. It's password protected so I'm guessing that that helps it bypass detection.<p>Thanks. Fingers crossed for this since I've never done/had to do this before.
> <i>a .rar malware file hosted on Google drive</i><p>By the same standard of guilty until proven innocent, should they block the Google Drive domain, and warn all users that Google Drive is unsafe/malicious, during the same review period?
I don’t know if it’s exactly the same, but I had old DNS record pointing to a deleted DO droplet. Then someone started hosting a phishing site on a droplet with the same IP, which led to my domain getting flagged as a phishing site. I was able to go to the google search console and submit a ticket, which was resolved in a matter of hours.<p>See the instructions here: <a href="https://support.google.com/webmasters/answer/6347750?hl=en" rel="nofollow noreferrer">https://support.google.com/webmasters/answer/6347750?hl=en</a>
> The site ahead may contain harmful programs<p>We had that. The site got hacked and was hosting a trojan distribution point. Very discreetly. Once removed, we requested re-evaluation via the Google Webmaster's console and the flag was removed.
I don't know what you can do for immediate action, but usually Google does reverse their domain safety status quickly after the offending content is removed. 72 hours might be enough for this to go away.
Tangentially... I try to not use any third parties that say what I can/cannot see. That includes SafeBrowsing, which I disable via...<p><pre><code> browser.safebrowsing.blockedURIs.enabled
browser.safebrowsing.downloads.enabled
browser.safebrowsing.downloads.remote.enabled
browser.safebrowsing.malware.enabled
browser.safebrowsing.passwords.enabled
browser.safebrowsing.phishing.enabled</code></pre>
I'm shocked no one has pointed this out yet, but it's a really really bad move to host user-submitted content on your primary business domain. There's no such thing as subdomain culpability in the way the Internet is operated.
This sort of thing has not been at all uncommon for Google over the past few years. I’m looking forward to the day when they no longer have this level of power to make or break tiny companies. With any luck, they will either stumble with LLMs and become irrelevant or emerge as only one of several companies and be forced out of their monopoly.
Heh, isn't Google great...<p>"Here is a test suite that can show if your AV/whatever detection tool works"<p>Google: "Kill it with fire, I get to choose what people see on the internet"
Quick update here: The block has been lifted and our domain has been marked as safe. This was a way better timeline than I could have hoped for given that it's still Sunday night in the American and European markets and it's still early morning in Asia. Australia, New Zealand and anything further than +7 GMT would have been minimally affected.<p>I really appreciate the community here sharing thoughts, similar experiences, and ideas on what to do. First time I've heard of the public suffix list for this.<p>A quick question to anyone who happens upon this: How does one prevent this issue affecting an entire site in general? Is there a grace period that Google gives a verified (via search console) site with a security issue? If not, then I'm curious how to protect a site which is targeted by malicious groups via comment widgets or if they host content using paths instead of subdomains. Eg: medium.com uses paths to go to user generated content. How would they defend from having their entire domain blocked if someone created a publication that linked out to malware?<p>Cheers all!
The project I work on, which also hosts user-generated content, ran into related problems:<p>- Outlook365 blocking any emails containing our domain<p>- ISPs blocking our domain via DNS filtering<p>In each case the blocklisting process was far from transparent and mitigation was difficult and stressful.<p>If you're in the same boat, reach out to me (email in profile). I believe we can make this topic a little less scary by connecting and sharing learnings.
My experience with this was front page material a while ago - the linked article contains info on how I dealt with it and preventive measures (that you are probably too late to implement now)<p><a href="https://news.ycombinator.com/item?id=25802366">https://news.ycombinator.com/item?id=25802366</a>
I've seen this happen at $EMPLOYER and it actually went beyond the website. Any email you send that has the url/domain in the text (e.g. in the signature) gets flagged by gmail or any G workspace email server with a big red warning. So, all customers who use Google's email servers (directly or indirectly via G Workspace) will get the red warning banners on all emails sent from anyone in your organization. Now THAT gets annoying real quick.
I have never seen any websites host more malware than Office365 and Google Drive.<p>Blocking THOSE two domains would likely resolve half the malware issues on the web, create a temporary flurry of confusion, and then accidentally solve the other half as people are forced to understand what saving files to a cloud actually entails.