

Google blocks Twitpic over alleged malware - derpenxyne
http://thenextweb.com/google/2012/12/30/google-blocks-twitpic-over-alleged-malware-causing-chrome-to-deny-access-to-some-twitter-pages/

======
stevencorona
I posted this in another related submission-

We're trying to sort it out but there isn't really any information provided by
Google/Chrome to go on. The best "details" they have show that Twitpic has 0
pages with Malware.

Crazy how some automated process at Google can kill an entire site just like
that.

~~~
jonknee
> Crazy how some automated process at Google can kill an entire site just like
> that.

Google bases its entire company around automated processes. Sites are made and
killed by Google's automated processes every day. If you want to ask Google
about it you will be talking to yet another automated process.

~~~
jamesaguilar
Let's be realistic. Although this is the case for most sites, I doubt twitpic
is going to end up talking to an automated process.

------
jdangu
Looks like yet another "malvertising" situation.

The Google Safebrowsing report [1] appears fairly ambiguous though:

"Site is listed as suspicious - visiting this web site may harm your computer
(...)"

"Of the 12029 pages we tested on the site over the past 90 days, 0 page(s)
resulted in malicious software being downloaded and installed without user
consent. The last time Google visited this site was on 2012-12-30, and
_suspicious content was never found_ on this site within the past 90 days."

[1]
[http://safebrowsing.clients.google.com/safebrowsing/diagnost...](http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Ftwitpic.com%2F&client=googlechrome&hl=en-
US)

~~~
null_ptr
> Looks like yet another "malvertising" situation.

And that's all the same to end users. When will the web evolve past these
pests?

~~~
frostmatthew
They're working on it <http://www.adsintegrityalliance.org/> :-)

------
nacs
I'm not sure this qualifies as news as this same thing has happened to other
large sites from time to time.

What likely happened is that one of the 3rd party advertisers on Twitpic
delivered ads that contain something classified as malware thus resulting in
the entire Twitpic site getting blacklisted.

------
tsunamifury
It's not googles job to police the Internet. I, and many others, have been
subjected to googles safe browsing malware flag without due cause. This is
unacceptable and google overstepping its position.

I am beginning to hope that someone takes google to task and reigns in thier
power over the Internet community. No company should have the ability to
practically shut down websites at will.

~~~
ChuckMcM
When I worked at Google I got to hear a number of "My friends site is being
accused of hosting malware but I know these guys they don't do that!" and
almost without exception, what had happened was that someone had compromised
the web server, downloaded the images, re-compressed them with an image based
exploit (sometimes changing them from gif to jpg in the process) and put them
back on the site. To Grandma and her friends the site hadn't changed in years,
except that now it was doing a drive by injection of malware.

I don't doubt for a minute that if someone figured out how to create a twitpic
app that could inject malware into the images you shared, they would try
really hard to get it on to your phone. How great a coup to have all
eleventybillion followers check out your latest 'woah!' picture and spread the
malware. Its a primo target.

I'm not defending Google here, I'm just saying that putting malware into
images is a primary goal of any number of advanced persistent threat shops.
Keep that in mind and make sure you keep an offline MD5 hash of every picture
on your web site for validation.

~~~
rbarooah
If that's what's happening here, then the warning seems good for everyone..
except that the wording is defamatory.

Rather than accusing Twitpic of being "a known distributor of malware", it
might be better if the message said something like "The site appears to be
infected with malware. This warning will be remain in place until the malware
has been removed."

------
dumbfounder
They blocked Twicsy today too, for using a pretty reputable ad network. It
seems anti-competitive to me. Google knows it is an ad network that is causing
the problems, they even pointed me to the supposedly malicious script. If they
know that, they can just disable the ad network and send me a notice on Google
Webmaster tools. They did neither, instead they block Twicsy for everyone and
display a nasty message. It is ridiculous.

------
4varb
Interestingly, if you try to load any page with Twitpic content embedded you
get the same warning.

Try to load the founder's page on Twitter: <http://twitter.com/noaheverett>

"Danger: Malware Ahead! Google Chrome has blocked access to this page on
twitter.com. Content from twitpic.com, a known malware distributor, has been
inserted into this web page."

------
rickmb
I wonder if Google's malware warnings have ever been reviewed by lawyers.
Because this entire feature smells like a lawsuit waiting to happen.

~~~
magicalist
The closest analog would be antivirus software deciding your legitimate app
was malware, but I can't find any lawsuits over that with some quick
searching. Anyone remember one?

Punishing anti-malware software for false positives may feel like it could be
warranted at times (at least in cases of anti-competitive actions or extreme
incompetence), but it seems like it would set an extremely poor precedent.
Even worse would be someone winning a case like "yes, there was malware, but
you should have sent users though anyway."

Which kind of points to the reason why you probably won't see a case like this
go far. Whether or not it's bad from the website's point of view, users chose
to install a browser that blocks what it thinks are infected sites, and
there's still the option (however small or hidden) to click through or disable
the warning. There are also tools to figure out why you're blocked (I'm not
sure about Microsoft or Opera's system, but I assume so), even if they can be
annoyingly slow in internet time.

I don't think there's any more case than suing over a browser displaying a
broken lock icon (or not loading a page at all) when you serve content over
mixed secure and insecure connections, or warning that a self-signed
certificate is untrusted and may be an attempt to hijack and redirect you.

~~~
rbarooah
Have you actually looked a twitter page that uses Twitpic? The text Chrome
produces reads:

"Danger: Malware Ahead! Content from twitpic.com, _a known malware
distributor_ has been inserted into this page. Visiting this page now is very
likely to infect your computer with malware.

Malware is malicious software that causes things like identity theft,
financial loss, and permanent file deletion."

If this turns out to be a false positive, it certainly looks as though Google
has committed a serious act of libel against a competitor by claiming that
they are known to be malicious and involved in crime. Furthermore they
prevented millions of customers from reaching another competitor (and partner
of the first competitor) in order to deliver this message.

There's no mention of the possibility of there being a false positive, or how
the conclusion was reached, or the general rate of false positives, or the
fact that it's Google's opinion.

The fact that we assume it's an automated detection system doesn't absolve
Google of responsibility for what they are communicating and the damage it can
do to their competitors reputations.

If it does turn out to be a false positive, will Google contact all the people
who saw that message to inform them that they were wrong?

I hope it's not a false positive.

~~~
analog
In the US libel requires a statement to have been made with malicious intent.
Quite simply, this is in no way libel, nor should it be.

I'll take occasional minor shortlived inconveniences over security breaches
anyday.

~~~
rbarooah
I doubt you'd consider it a "minor shortlived inconvenience" if Google
informed millions of people that your business was a known distributor of
malware.

Google can perfectly well block the malware without making such an accusatory
statement. It's not a tradeoff, so I don't really know why you are defending
them.

~~~
analog
What would you'd reckon the accuracy of the algorithms are? I'd have thought
the numbers probably justify the language.

Security is a tradeoff, if you do business on the web, deal with it.

~~~
rbarooah
Clearly you haven't thought this through.

Security is sometimes a trade-off but in this case there is no trade-off
involved. Google can just as easily block the malware without the potentially
defamatory language.

The accuracy of the algorithm is utterly irrelevant.

~~~
analog
Rubbish. The trade-off in this case is that a more mealy-mouthed warning would
lead to more people clicking through.

~~~
rbarooah
Nobody except you is suggesting a mealy-mouthed warning - that's a straw-man.

An accurate and informative statement like:

"Google's Scans detected malware <X>, which is known to do harm <Y> within the
past <N> hours at <Z> percent of the pages operated by <COMPANY>. Google
recommends that you do not click on this link until this warning is lifted.
[Site owners click here for detailed information]"

...would be just as effective.

Scare tactics, especially those that might be laying blame incorrectly, simply
breed ignorance, and ignorance is the enemy of security.

~~~
analog
_it might be better if the message said something like "The site appears to be
infected with malware.This warning will be remain in place until the malware
has been removed."_

That's what you suggested, seems pretty mealy-mouthed to me.

~~~
rbarooah
Presumably you don't judge my second suggestion 'mealy mouthed' otherwise
you'd have quoted that instead.

So even by your judgement of what is 'mealy mouthed', an effective and
accurate warning is clearly possible. You might not have liked the wording of
my first suggestion but that doesn't change the argument.

There is no valid trade-off that requires Google to use accusatory wording in
order to protect people from malware. It would clearly be an improvement if
their messages were more accurate.

~~~
analog
There obviously is a trade-off between the strength of the language and the
number of people who will click through.

The messages are accurate, Twitpic was unfortunately a distributor of malware.
Here's a copy and paste of the current detailed report.

 _What happened when Google visited this site? Of the 12910 pages we tested on
the site over the past 90 days, 31 page(s) resulted in malicious software
being downloaded and installed without user consent. The last time Google
visited this site was on 2013-01-01, and the last time suspicious content was
found on this site was on 2012-12-30. Malicious software includes 13
trojan(s), 4 exploit(s). Successful infection resulted in an average of 8 new
process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including mpchester.info/,
malatyuhr.com/, iloveeu.info/.

2 domain(s) appear to be functioning as intermediaries for distributing
malware to visitors of this site, including 2upmedia.com/, adexcite.com/.

This site was hosted on 3 network(s) including AS36351 (SOFTLAYER), AS15169
(Google Internet Backbone), AS31815 (MEDIATEMPLE).

Has this site acted as an intermediary resulting in further distribution of
malware? Over the past 90 days, twitpic.com appeared to function as an
intermediary for the infection of 1 site(s) including ow.ly/._

[http://safebrowsing.clients.google.com/safebrowsing/diagnost...](http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Ftwitpic.com%2F)

I'm not sure why you're placing the business interests of Twitpic over the
safety of users, but I disagree with your attitude. I'm done here.

~~~
rbarooah
_There obviously is a trade-off between the strength of the language and the
number of people who will click through._

Maybe, but I'm not arguing about the 'strength' of the language. I'm arguing
about the accuracy of it.

 _The messages are accurate, Twitpic was unfortunately a distributor of
malware. Here's a copy and paste of the current detailed report._

Actually, this report proves my point. Twitpic is implicated because ad
networks they embed have distributed malware.

This is a perfectly good reason for warning people, but it is not
justification for calling Twitpic "A known distributor of malware" - a
statement which portrays Twitpic as an intentional agent in this.

If I called you "A known distributor of falsehoods", and my evidence was that
you made a few mistakes on a math test, and mistyped the a URL in one of your
postings, I imagine most people would consider that a misrepresentation,
because the phrase "A known distributor" implies agency and intent.

Another analogy would be if a grocery store carried a batch of improperly
pasteurized milk from that people got food poisoning from.

Calling the grocery store "A known poisoner" would be an obvious
misrepresentation.

In just the same way, Twitpic is not "a known distributor" of malware.

 _I'm not sure why you're placing the business interests of Twitpic over the
safety of users, but I disagree with your attitude._

You are simply misrepresenting my position. You keep making a false dichotomy,
as though the users safety and accurate messaging are in conflict with one
another. This is not true.

It is perfectly possible for Google to strongly state their opinion about the
dangers of clicking through without misrepresenting twitpic.

I think that the communications of those in a position of power should be
critiqued, and I think that misleading people 'for their own protection' is
almost never justified and certainly shouldn't be casually accepted as a
necessary tradeoff.

I disagree with your attitude too, but I guess at least we know where we
stand.

------
thehodge
I cannot even load tweetdeck at the moment as it seems to preload the images
on the links thus showing the big red screen

------
Zirro
This is showing up in Firefox as well, since it uses "Google Safe Browsing"
for information about suspicious sites.

------
twapi
even Firefox now warns its users <http://browserfame.com/1049/chrome-twitpic-
malware-warning>

~~~
Zirro
That's because both Firefox and Chrome use the same source of information
about potentially dangerous sites. It doesn't make Twitpic.com more
suspicious.

------
kngl
I'm happy to use a third party client to browse twitter...

~~~
jeffjose
While this gets you over this minor inconvenience , is it really worth the
risk of exposure to malwares?

~~~
kylemaxwell
You're presuming right now that the detection is accurate and that, if it is,
third-party Twitter clients would be susceptible to the same vectors.

You have an exposure risk every time you use the Web; managing that risk is
part of what we do as users (and, to a greater degree, as professionals).

~~~
magicalist
if you're ready to manage that risk (based on gut instinct that this is a
false positive?), just click through. I don't see the issue there for users.
The real issue is false positives from the website's point of view, since the
vast majority of users won't click through by design.

