Why are you reading this? Go outside. Do something meaningful with your life.

Friday, January 23, 2009

Cross-site Warnings

Several browsers use data from Google's malware list to protect users. Firefox 3, Chrome and Safari all check sites that users are visiting against Google's list and warn users if they are about to visit a dangerous site. There are some small differences in implementation across browsers that can cause confusion.

All three browsers check the address of the top-level page a user is navigating to. That protects most users in most cases. But, a web page can include content from another web page and if the included content is malicious then users may be exposed. Chrome (and Safari*) check every request against Google's malware list. This means those browsers will protect users even if malicious content from a flagged page is embedded on a non-flagged page.

Although that approach provides better protection for users, it may be confusing for webmasters if content on their site comes from another site. Some users (those with Chrome or Safari) will get warnings even though the webmaster's site is not blacklisted. Because the webmaster's site isn't blacklisted, they won't be able to request a malware review via Google's Webmaster Tools. Fortunately, this situation usually doesn't exist for very long. Google's scanners have already identified the embedded content as malicious but they haven't yet flagged the webmaster's site that includes the dangerous content. As they continue to crawl the internet, the scanners will quickly flag the webmaster's site.

If you're a webmaster in this situation, you'll need to examine all the content you're including from other websites. Look carefully at the warning page that browsers display since it usually includes the name of the domain that caused the problem.

* I can't say for certain exactly how Safari behaves because I haven't seen the code. But based on observation, Safari seems to have adopted the approach of checking every request.

Updated: FF3.5 checks every request against the blacklist and helps better protect users. FF3.5, Chrome and Safari all behave the same now.


Unknown said...

Very helpful and reassuring - Gordon Smith

Unknown said...

Good info, thanks.

What's disconcerting is the inability to get a review if my site is not the offending site, only the "linking to" site. From the webmaster perspective, it doesn't matter where the content is coming from... injected malware, a bad link, forum posts..... if the webmaster sees the error, they should be able to clean up their site and request a review.

my 2¢,

Unknown said...

Thanks for stopping by, Joe.

In a situation where a website has a cross-site warning, there's no need to request a review. If the webmaster cleans up their site then the browsers won't see any requests to dangerous site so no warnings will be displayed.

ian said...

Can a cross-site warning result from the ads carried on my site from providers such as Burstmedia, Valueclick, Amazon, or even Google's own ads? And of course, they also use other third-party providers to fill.

I ask because a reader alerted me that he was receiving a malware warning, but the associated diagnostic report he forwarded was for an IP that was not mine. (It was one of a block of IPs hosted on another continent.)

Unknown said...

@ian - Yes, that's one way a request could be caused by your page. But, it's more likely that you've been compromised and don't realize it yet. Malware goes to great length to hide from webmasters.

Tim Morris said...

I got flagged by google for malware. I cleaned my site, tested it, as well as google who found it clean. Google removed the malware danger link from my site in their search. Now, in google search, when you click on my link, a page comes up that states:

Warning - visiting this web site may harm your computer!

However, in my webmaster diagnostics google says that I am good to go - clean cpmpletely.
I did not cause this, other sites linked to me. Upon closer in spection, and clicking on the flag-pages diagnostics link, it also states, by google, that I no longer am infected; although, there are two site links showing that have apparently linked to me that apparently have the malware or virus.

My question to anyone who knows - How do I remove the "warning" page so that my index or home page shows when my site-link on google search is cliked on?


Unknown said...

how do i clean my website...anybody with explanation should please send comments to naughtykema@yahoo.com.


Tele2002 said...

Hi useful info, but as a complete amateur how do I actually know what is wrong....

Can you look at my code and tell me if there is anything that shouldn't be there in it, I have verified the site with google and have analytics on it. I've also registered it with Symantec and MacFee and they have both given it a clean bill of health.

Just people get the message and automatically assume that my site will infect them with something.

Tim Morris said...

Is your site flagged by google?

Tim Morris said...

I got a clean bill of health from google, but still had a line of funky malware code in between header and body tag. It was not visible from view page source. I had to fish it out by placing my page-code in a editor an removing and re-uploading to server.

UBlog said...

Since the last update to firefox its been almost impossible to be able to open links in google and other search engines without the link being dead, or redirected to a spam site via js.doubleclick.net
I heard js.doubleclick has been purchased by google.
I don't have this happening via IE - but only via firefox searching google. Perhaps there is a vulnerability issue?

Dawn said...

I am facing same problem with my site.
my site url- www.moviesworld4u.com.

it showing "Worning: This site may harm your computer." .

How can I remove it from my site..
Pleaseeeeeee Help me ..
mail: arealdude@gmail.com

ian said...

First, Google is (at time of writing) flagging your account as "suspicious".

Go to
enter your website url and get a security report. Look for links that don't belong there.

Then get Google's info page by clicking on the link on above page.

There are additional links to information on these pages.

Finding the cause may be a long and miserable experience. Google will correct its listings promptly when you fix the pages. Microsoft Bing lies in its blog when it says it will clear their dangerous site warning message in "days not weeks". It was beyond a month after I fixed my site that the warnings finally were all gone from their search pages.

Microsoft Bing also denies you, even as Webmaster, access to their cached copy of suspicious pages, so you cannot see what they have seen. This matters if you have variations in the page. In my case, it was a problem when occasionally a default ad was served. The malicious link wasn't on the pages themselves that Bing flagged. I spent days and nights on a wild goose chase examining pages that had no malicious code in them.

In my case, I was miserable until unmaskparasites.com gave me a clue what to look for and could start tracking down the infection.

To this day I don't know how malicious code was inserted into my pages. I scanned my local computer for infections - in case of password stealing. The server showed up nothing, but even changing passwords didn't stop the ftp intrusions from malicious IPs.

I fought many times to clean repeat infections which came back days or weeks after each other. Eventually I wrote a php program to check my site pages. I get an email report every half hour, thanks to using a cron job, and if the infection shows up again I can immediately purge it.

In my case, a malicious iframe was being inserted linking to a site that was a typo varation on analytics. Example: google-analitics. The site name changes each time the domain is reported is shut down (but not until after a notification time expires. Needless to say, the bad site gives no legitimate contact information, and doesn't reply to the notification, just moves on with a new site name registration.

Your report doesn't seem to show red-flag warning, so you may need to check the sites you are linking to. Your site, otherwise clean, can be flagged because of links to bad sites.

Hope this is some help, either for you, or others who may more closely match my experience.

Dawn said...

many many thanks for your help.
I am trying to get solution. I am new comer in blogger so I can't understand clearly.

Dawn said...

I am unable to locate where it malware situated , I have deleted all third party site from my site. how can I do now ?

Unknown said...

The best place to ask questions about specific cases is in the Google Webmaster Help Forums (http://www.google.com/support/forum/p/Webmasters). There are lots of people there who can help out.

Unknown said...

The list sucks. www.stopbadware.org in unavailable when trying to correct things like false positives.
My tip : let people be stupid, thay have been warned. Because savvy ones suffer from stupid users.
And stop keeping people in a near panick state? Do you get sponsored by AV companies ????