Hacker News new | comments | show | ask | jobs | submit login
Google blocks Twitpic over alleged malware (thenextweb.com)
37 points by derpenxyne 1574 days ago | hide | past | web | 53 comments | favorite



I posted this in another related submission-

We're trying to sort it out but there isn't really any information provided by Google/Chrome to go on. The best "details" they have show that Twitpic has 0 pages with Malware.

Crazy how some automated process at Google can kill an entire site just like that.


This happened to us (granted we actually did have an infected advert network...) and once the adverts were fixed requesting a review via webmaster tools resolved it:

http://support.google.com/webmasters/bin/answer.py?hl=en&...


> Crazy how some automated process at Google can kill an entire site just like that.

Google bases its entire company around automated processes. Sites are made and killed by Google's automated processes every day. If you want to ask Google about it you will be talking to yet another automated process.


Let's be realistic. Although this is the case for most sites, I doubt twitpic is going to end up talking to an automated process.


I believe you can appeal the block through Webmaster Tools but I'm not sure how quickly they fix it. Hopefully someone at Google sees this post and fixes it.


Looks like the safebrowsing console is lagging. It currently says "Updated 5 hours ago". I guess once the information propagates to it, you'll have more details.

http://safebrowsing.clients.google.com/safebrowsing/diagnost...


And indeed it now shows:

What happened when Google visited this site?

Of the 12592 pages we tested on the site over the past 90 days, 31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-12-31, and the last time suspicious content was found on this site was on 2012-12-30. Malicious software includes 13 trojan(s), 4 exploit(s). Successful infection resulted in an average of 8 new process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including mpchester.info/, malatyuhr.com/, iloveeu.info/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including 2upmedia.com/, adexcite.com/.

This site was hosted on 3 network(s) including AS36351 (SOFTLAYER), AS15169 (Google Internet Backbone), AS31815 (MEDIATEMPLE).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, twitpic.com appeared to function as an intermediary for the infection of 1 site(s) including ow.ly/.


this is arash from dropbox. a similar thing happened to us a couple years ago and mattcutts helped resolve it pretty quickly (https://twitter.com/mattcutts). I would try to reach out to him ASAP.

edit: ack. just read his twitter feed and it looks like he's out for a week.


Steve, how did you get reinstated so quickly? I am still having issues with Twicsy.


Looks like yet another "malvertising" situation.

The Google Safebrowsing report [1] appears fairly ambiguous though:

"Site is listed as suspicious - visiting this web site may harm your computer (...)"

"Of the 12029 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-12-30, and suspicious content was never found on this site within the past 90 days."

[1] http://safebrowsing.clients.google.com/safebrowsing/diagnost...


> Looks like yet another "malvertising" situation.

And that's all the same to end users. When will the web evolve past these pests?


They're working on it http://www.adsintegrityalliance.org/ :-)


I'm not sure this qualifies as news as this same thing has happened to other large sites from time to time.

What likely happened is that one of the 3rd party advertisers on Twitpic delivered ads that contain something classified as malware thus resulting in the entire Twitpic site getting blacklisted.


It's not googles job to police the Internet. I, and many others, have been subjected to googles safe browsing malware flag without due cause. This is unacceptable and google overstepping its position.

I am beginning to hope that someone takes google to task and reigns in thier power over the Internet community. No company should have the ability to practically shut down websites at will.


When I worked at Google I got to hear a number of "My friends site is being accused of hosting malware but I know these guys they don't do that!" and almost without exception, what had happened was that someone had compromised the web server, downloaded the images, re-compressed them with an image based exploit (sometimes changing them from gif to jpg in the process) and put them back on the site. To Grandma and her friends the site hadn't changed in years, except that now it was doing a drive by injection of malware.

I don't doubt for a minute that if someone figured out how to create a twitpic app that could inject malware into the images you shared, they would try really hard to get it on to your phone. How great a coup to have all eleventybillion followers check out your latest 'woah!' picture and spread the malware. Its a primo target.

I'm not defending Google here, I'm just saying that putting malware into images is a primary goal of any number of advanced persistent threat shops. Keep that in mind and make sure you keep an offline MD5 hash of every picture on your web site for validation.


If that's what's happening here, then the warning seems good for everyone.. except that the wording is defamatory.

Rather than accusing Twitpic of being "a known distributor of malware", it might be better if the message said something like "The site appears to be infected with malware. This warning will be remain in place until the malware has been removed."


The other big vector for tripping malware detection is 3rd party ad networks. When you have multiple parties outside your control that can inject arbitrary HTML and JavaScript into your page, all it takes is one bad advertiser.


There's a reason Mozilla and Apple also use this service, and all the major browsers include something like it. Malware, injected malicious code (susceptible to XSS and social engineering attacks), and drive by downloads are a very real problem. You're going to have to suggest an alternative approach if you want to replace it.


I'd say by being the largest referrer on the internet and the developer of one of the most popular web browser, Google certainly has an excellent case to "police" the internet. If you don't want Google's advice, don't use Google's kit.

As a HN user you're most likely able to take care of yourself, but the vast majority of people are better off heeding Google's advice.


Google's "advice" in this case is a statement issued to millions of users accusing a competitor of a crime.

If it turns out to be true, that's fine. If it's not true, don't you think Google should be held responsible for the damage to their competitor's reputation?


Twitpic isn't a Google competitor and was not being accused of a crime.


I don't see how you reach that conclusion.

Twitpic is part of the Twitter ecosystem and is such is certainly competitive with Google's social and photo sharing efforts (i.e. Google+ and Picasa)

Being a known distributor of malware (described by Google as: software which causes things like identity theft, financial loss, and permanent file deletion) is a crime.

So yes, they are a competitor, and yes they are being accused of a crime.


The warnings are just that, warnings. Any user is free to proceed to the site if they desire. Just like any user is free to NOT use a browser that uses Google's blacklist if they desire (Chrome, Safari, Firefox use it). Though FWIW Google's malware detection is extremely accurate, so it's generally best to simply avoid blacklisted sites until they have been cleaned up.


It's their job to provide a good service to their users. Warning about malware seems to fit that bill.


Speaking realistically, somebody will have the ability to practically shut down websites at will (or actually in this case alter optional access, as Google can't actually shut down TwitPic). Your only options are going to be private industry via Google (or equivalent) or your friendly homeland security officer (or equivalent).

One is an opt-in completely private non-coercive entity, the other uses a gun and has real power over you. Don't like Google, don't use their search or Chrome or Gmail et al., there are plenty of alternatives and your adoption of those would help spur further activity in the way of competition. Don't like homeland security? Tough luck, obey or go to jail.


I agree, because I was just upset when Microsoft started blocking some links in the Windows Live Messenger. However, in this case at least they still allow you the choice to visit the site, while Microsoft was simply blocking the links completely. And this is why I also disagree with the iOS and Metro not allowing for sideloading, too, while the Android/Mac OS X model is a much better compromise between security and liberty/flexibility.


They blocked Twicsy today too, for using a pretty reputable ad network. It seems anti-competitive to me. Google knows it is an ad network that is causing the problems, they even pointed me to the supposedly malicious script. If they know that, they can just disable the ad network and send me a notice on Google Webmaster tools. They did neither, instead they block Twicsy for everyone and display a nasty message. It is ridiculous.


I wonder if Google's malware warnings have ever been reviewed by lawyers. Because this entire feature smells like a lawsuit waiting to happen.


The closest analog would be antivirus software deciding your legitimate app was malware, but I can't find any lawsuits over that with some quick searching. Anyone remember one?

Punishing anti-malware software for false positives may feel like it could be warranted at times (at least in cases of anti-competitive actions or extreme incompetence), but it seems like it would set an extremely poor precedent. Even worse would be someone winning a case like "yes, there was malware, but you should have sent users though anyway."

Which kind of points to the reason why you probably won't see a case like this go far. Whether or not it's bad from the website's point of view, users chose to install a browser that blocks what it thinks are infected sites, and there's still the option (however small or hidden) to click through or disable the warning. There are also tools to figure out why you're blocked (I'm not sure about Microsoft or Opera's system, but I assume so), even if they can be annoyingly slow in internet time.

I don't think there's any more case than suing over a browser displaying a broken lock icon (or not loading a page at all) when you serve content over mixed secure and insecure connections, or warning that a self-signed certificate is untrusted and may be an attempt to hijack and redirect you.


Have you actually looked a twitter page that uses Twitpic? The text Chrome produces reads:

"Danger: Malware Ahead! Content from twitpic.com, a known malware distributor has been inserted into this page. Visiting this page now is very likely to infect your computer with malware.

Malware is malicious software that causes things like identity theft, financial loss, and permanent file deletion."

If this turns out to be a false positive, it certainly looks as though Google has committed a serious act of libel against a competitor by claiming that they are known to be malicious and involved in crime. Furthermore they prevented millions of customers from reaching another competitor (and partner of the first competitor) in order to deliver this message.

There's no mention of the possibility of there being a false positive, or how the conclusion was reached, or the general rate of false positives, or the fact that it's Google's opinion.

The fact that we assume it's an automated detection system doesn't absolve Google of responsibility for what they are communicating and the damage it can do to their competitors reputations.

If it does turn out to be a false positive, will Google contact all the people who saw that message to inform them that they were wrong?

I hope it's not a false positive.


> "The text Chrome produces reads: [...]"

You actually get two slightly different warnings, depending upon whether the content is embedded or not. If you go to Twitpic directly you'll see "Google has blocked access to twitpic.com for now", a generally more gentle warning than the one you cite (which you'll see if you're viewing embedded content instead).

It's interesting there are two warnings, only one of which seems to be potentially libelous (if it was a false positive, which at this point is uncertain, especially if the content came in from an ad network).


In the US libel requires a statement to have been made with malicious intent. Quite simply, this is in no way libel, nor should it be.

I'll take occasional minor shortlived inconveniences over security breaches anyday.


I doubt you'd consider it a "minor shortlived inconvenience" if Google informed millions of people that your business was a known distributor of malware.

Google can perfectly well block the malware without making such an accusatory statement. It's not a tradeoff, so I don't really know why you are defending them.


What would you'd reckon the accuracy of the algorithms are? I'd have thought the numbers probably justify the language.

Security is a tradeoff, if you do business on the web, deal with it.


Clearly you haven't thought this through.

Security is sometimes a trade-off but in this case there is no trade-off involved. Google can just as easily block the malware without the potentially defamatory language.

The accuracy of the algorithm is utterly irrelevant.


Rubbish. The trade-off in this case is that a more mealy-mouthed warning would lead to more people clicking through.


Nobody except you is suggesting a mealy-mouthed warning - that's a straw-man.

An accurate and informative statement like:

"Google's Scans detected malware <X>, which is known to do harm <Y> within the past <N> hours at <Z> percent of the pages operated by <COMPANY>. Google recommends that you do not click on this link until this warning is lifted. [Site owners click here for detailed information]"

...would be just as effective.

Scare tactics, especially those that might be laying blame incorrectly, simply breed ignorance, and ignorance is the enemy of security.


it might be better if the message said something like "The site appears to be infected with malware.This warning will be remain in place until the malware has been removed."

That's what you suggested, seems pretty mealy-mouthed to me.


Presumably you don't judge my second suggestion 'mealy mouthed' otherwise you'd have quoted that instead.

So even by your judgement of what is 'mealy mouthed', an effective and accurate warning is clearly possible. You might not have liked the wording of my first suggestion but that doesn't change the argument.

There is no valid trade-off that requires Google to use accusatory wording in order to protect people from malware. It would clearly be an improvement if their messages were more accurate.


There obviously is a trade-off between the strength of the language and the number of people who will click through.

The messages are accurate, Twitpic was unfortunately a distributor of malware. Here's a copy and paste of the current detailed report.

What happened when Google visited this site? Of the 12910 pages we tested on the site over the past 90 days, 31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-01-01, and the last time suspicious content was found on this site was on 2012-12-30. Malicious software includes 13 trojan(s), 4 exploit(s). Successful infection resulted in an average of 8 new process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including mpchester.info/, malatyuhr.com/, iloveeu.info/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including 2upmedia.com/, adexcite.com/.

This site was hosted on 3 network(s) including AS36351 (SOFTLAYER), AS15169 (Google Internet Backbone), AS31815 (MEDIATEMPLE).

Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, twitpic.com appeared to function as an intermediary for the infection of 1 site(s) including ow.ly/.

http://safebrowsing.clients.google.com/safebrowsing/diagnost...

I'm not sure why you're placing the business interests of Twitpic over the safety of users, but I disagree with your attitude. I'm done here.


There obviously is a trade-off between the strength of the language and the number of people who will click through.

Maybe, but I'm not arguing about the 'strength' of the language. I'm arguing about the accuracy of it.

The messages are accurate, Twitpic was unfortunately a distributor of malware. Here's a copy and paste of the current detailed report.

Actually, this report proves my point. Twitpic is implicated because ad networks they embed have distributed malware.

This is a perfectly good reason for warning people, but it is not justification for calling Twitpic "A known distributor of malware" - a statement which portrays Twitpic as an intentional agent in this.

If I called you "A known distributor of falsehoods", and my evidence was that you made a few mistakes on a math test, and mistyped the a URL in one of your postings, I imagine most people would consider that a misrepresentation, because the phrase "A known distributor" implies agency and intent.

Another analogy would be if a grocery store carried a batch of improperly pasteurized milk from that people got food poisoning from.

Calling the grocery store "A known poisoner" would be an obvious misrepresentation.

In just the same way, Twitpic is not "a known distributor" of malware.

I'm not sure why you're placing the business interests of Twitpic over the safety of users, but I disagree with your attitude.

You are simply misrepresenting my position. You keep making a false dichotomy, as though the users safety and accurate messaging are in conflict with one another. This is not true.

It is perfectly possible for Google to strongly state their opinion about the dangers of clicking through without misrepresenting twitpic.

I think that the communications of those in a position of power should be critiqued, and I think that misleading people 'for their own protection' is almost never justified and certainly shouldn't be casually accepted as a necessary tradeoff.

I disagree with your attitude too, but I guess at least we know where we stand.


You can opt out of it -- it's not mandatory.


As a customer you could choose to opt out, but from a business standpoint it's not so easy.


The browser works on behalf of the user, not on behalf of the site operator. In the matter of keeping malware off the user's computer, nobody gives two shits what the site operator wants.


Interestingly, if you try to load any page with Twitpic content embedded you get the same warning.

Try to load the founder's page on Twitter: http://twitter.com/noaheverett

"Danger: Malware Ahead! Google Chrome has blocked access to this page on twitter.com. Content from twitpic.com, a known malware distributor, has been inserted into this web page."


I cannot even load tweetdeck at the moment as it seems to preload the images on the links thus showing the big red screen


This is showing up in Firefox as well, since it uses "Google Safe Browsing" for information about suspicious sites.



That's because both Firefox and Chrome use the same source of information about potentially dangerous sites. It doesn't make Twitpic.com more suspicious.


I'm happy to use a third party client to browse twitter...


While this gets you over this minor inconvenience , is it really worth the risk of exposure to malwares?


You're presuming right now that the detection is accurate and that, if it is, third-party Twitter clients would be susceptible to the same vectors.

You have an exposure risk every time you use the Web; managing that risk is part of what we do as users (and, to a greater degree, as professionals).


if you're ready to manage that risk (based on gut instinct that this is a false positive?), just click through. I don't see the issue there for users. The real issue is false positives from the website's point of view, since the vast majority of users won't click through by design.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: