The theme currently in use on http://wp-abtesting.com/ has a main stylesheet called style.css which contains the URL http://www.shapingrain.com in its comments in the header.
After shapingrain.com was infected and flagged by Google Safe Browsing, wp-abtesting.com would then have been flagged when Google analyzed the CSS file and saw what appeared to be a resource link to an infected site. This would appear to be a limitation via the scanner which is scanning CSS comments and treating them as valid code, though this is not without precedent and certain browsers will evaluate what is contained in comments under certain circumstances (see IE conditional comments).
So, in the end, it looks like shapingrain.com was infected yesterday and Google blacklisted that site as well as any sites pulling resources from the infected site, erring on the side of caution (possibly) and interpreting URLs within comments in CSS as possible resource links.
Thanks a lot for your detailed response. Really appreciated.
Probably both sites were infected at some point. Again, I never saw the malware message myself but the guy that alerted us first copied the message he got and it was explicitly mentioning the demo site: “Content from demos.shapingrain.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your Mac with malware.”
And now, we’re going to immediately clean the CSS since this is something that had not occurred to us could be the cause of the problem. Let’s make sure we are not blacklisted again!
For future reference, another useful tool is Sucuri SiteCheck, which will show you the results of multiple website malware blacklists on one page: http://sitecheck.sucuri.net/scanner/
(I checked and http://wp-abtesting.com/ is clean)
This being said, I have no idea what could be done, if anything, to avoid being in a situation where Google can, mistakenly, blacklist your from the Internet.
This is why I stopped using Chrome, and learned to love Firefox, again.
Firefox uses Google for safe browsing filtering.
Heck, if you are looking at this from a larger social good perspective, it might even be better for society at large to have the blacklist provider be much more aggressive about blacklisting sites quickly. What's the cost of a malware compromising someone's machine, and requiring someone to take their desktop off-line for a day or more while they reinstall everything from scratch (and find out that they no longer can find their MS Office reinstall disks, and the new MS Office requires them to relearn where all controls are on the reorganized toolbar)? Versus the economic cost of some minor web site getting blocked for a few days?
In any case, given that you as the minor web site won't be providing any payments to the blacklist provider, why do you assume the incentive structure will be any better with third-party blacklists?
Since the browser maker will no longer control the blacklist, they will now have users telling them that sites are broken (because they've been blacklisted), and they won't be able to do anything about it on the blacklist side. So, what they will be incentivized to do, is to make whitelisting a blacklisted site (especially those that only get loaded through invisible iframes etc.) have a much simpler/easier/clearer UX, so that their complaints go down. This is good for everyone, but it's not something they'll do when they still have the option "just remove X from the blacklist."
It might be a bad assumption that users will demand a more liberal blacklist. That's certainly not how e-mail blacklists have worked out. Sometimes the people most in favor of the blacklists that hit all sorts of innocent mail senders are the users sick and tired of spam.
Maybe we just need a a Kickstarter to pay for the engineering time required to get this coded into Firefox and Chromium. If Mozilla or Google don't like it, call the result a fork and start a campaign for people to switch, as happened with OpenOffice+LibreOffice, or with MariaDB. Of course, I think both Google and Mozilla are smart enough that they'd see what was happening there, and just adopt the open blacklists.
As browser-users, I believe that we really do have the ability to affect the decisions of these companies, if we have something we can all get behind. :)
(...at least, if it doesn't directly interfere with their bottom line, like including an ad-blocker in Chrome would for Google. Can't have everything.)
"Probably both sites were infected at some point. Again, I never saw the malware message myself but the guy that alerted us first copied the message he got and it was explicitly mentioning the demo site: “Content from demos.shapingrain.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your Mac with malware.”"
We launched our application, announced it to the world, got a flood of users that was apparently "abnormal" and were flagged by their ban bot.
Our app was summarily deleted (without warning or notification). All links to the application were flagged as "abusive". And all data published by users of our application was deleted.
The only reason we discovered this was because we were alerted by our users that the application had disappeared from their bookmarks and that they were unable to access it.
Of course, when we brought this to Facebook's attention they restored the application within a couple of hours. Unfortunately, significant damage had already been done: everything published by our users was (apparently) permanently deleted, our open graph stories and actions were completely deleted, and our subscriptions to the payments apis were deleted.
The particularly insidious one is the deletion of the payments subscription. For the last 12 hours, anyone who has tried to make an in-app purchase has been charged by Facebook but not had their purchase relayed to us for fulfillment.
A launch for a client also went through the same problem in 2010, and that was after 5 years of managing other WP installs (including 2 VIP WP sites). I've seen it happen too many times for it not to be Automattic's problem to address more so than they're doing now.
Stay away from self hosted WP unless your install is absolutely bullet proof, and cross linking, especially to resource files from other WP sites is the last thing you should ever do because you do not control their security which can directly affect yours, or at least your black list vulnerability due to associated content.
Our office used to be above Automattic's in SF, and I love those guys, and what Matt has done for the web, but with great power comes with great responsibility.
WP probably gets a bit of a bad rap because the types of sites made with it often don't have the budget to bring high quality development. When you serve 20% of the web, and people choose you precisely because they can get cheap developers, there will be some problem sites out there running WP.
In this particular case, it seems to me that they would have been flagged if they had been running anything, Drupal or Jekyll or a static site - they had an external theme provider who referred to a domain in CSS comments that was listed by google.
The problem seems to be the accuracy of Google's flagging, not WordPress.
there was absolutely nothing special about that page except the content, I noticed that the content included words like "Visa, passport, license etc .." so Google classified it as a probable scam.
after a few submissions, I think the page got whitelisted.
its very annoying indeed, especially that this functionality is now built into the primary browser.
I've suffered from the same malware issue earlier. Since we use ad networks for advertising it works as follows. 1 ad network has about 3000 different ads running in different locations. If any of those domains get compromised and blacklisted and Google notices that you served something from that domain - BOOM! You're on stopbadware.org and need to get your website reviewed. You block the ad, and apply for a review. To their credit, it takes about 24 hours for the whole process (review happens, they delist you, Google caches update, etc.). However, for 24 hours anyone who comes to your site or clicks on a google result for you, or clicks anywhere to come to you - Gets a massive warning. The cost in terms of lost revenue and reputation damage are almost incalculable. This has happened to me in the past, several times. I have severed relationships with several ad networks and yet this keeps happening - even with the most reputable networks and you try to stay ahead of the curve but if you fall behind even a bit, you may get blacklisted again. All this for a site that makes maybe $200/month.
Another problem I faced was with SURBL. It's a spam blacklist that works on a bizarre system. Basically if they find your domain name beind spammed around the internet (it could be anyone else doing it) they will blacklist you. What's worse is that providers like bitly, facebook, etc. use the SURBL blacklist. So what happens ? Well, one day someone goes and spams your domain on internet forums, etc. SURBL picks up on it. Then, suddenly all your facebook links, bitly links shared on twitter, etc. start showing warning pages. Basically someone clicks on your link on facebook and gets a page saying "This site may harm your computer". Ditto for Bitly as well.
I tried to get delisted but no one at SURBL would respond. I kept trying to get in touch through their online form but no one responded for 2-3 weeks. Finally, I did a whois on the domain, found the admin contact and emailed him. I also sent him a text on his phone. At last after about 4 weeks of being on SURBL I managed to get delisted.
That. Was. An. Ordeal.
This in my opinion is absolutely unacceptable. Spam blacklists do have a responsibility to be correct in their assessments. And if they do have a false positive for any reason, they should have a streamlined resolution process. Unfortunately, the internet is the wild west and shooting before asking questions appears to be quite acceptable in these parts. I recognize that a lot of this is an attempt to protect users but when I open my mom's PC, I still see a bunch of browser toolbars, bookmarking widgets, etc. etc. (malware, right ?) Folks are still getting phished. This fight needs to be rethought.
It comes down to browsers half of the time having bad security principles. Anything can change window.location in an any iframe (on any domain) and the new sandboxing for iframes is HORRIBLE (not to mention the support of sandboxing itself is barely there). Ad networks work by passing the user around between networks until an ad is found but this removes any chance of being able to find who is responsible for a given bad ad.
The entire thing is a security nightmare and the only "fix" Google can provide consists of blacklisting downstream websites that may indirectly link to a bad ad via ad networks. I don't disagree with Google's "fix" but I do think they should approach the problem on Chrome and show what good security means when it comes to ads for the other browser vendors.
Those changes represented a pretty dramatic improvement and all modern browsers are now in alignment. But the resulting behavior does make numerous concessions for compatibility with existing content. Take your complaint about any child frame being able to navigate top. That behavior was retained for both content compatibility and because it was a necessary security measure.
To explain the security concern, standardized frame communication predates the broad adoption of X-Frame-Options. So, the only reliable, cross-browser click-jacking defense at the time was frame-busting via top-navigation. And because we're talking about the Web, you have to consider a transition path of many years for existing content.
It may not seem like a great explanation, but the fact is that most of the confusing security behaviors on the Web really are the result of being boxed in by the need to keep existing content working. And, unfortunately, it takes many years to get improved mechanisms widely supported among browsers and to then migrate the majority of the Web onto them.
Fundamentally, something better should exist and websites get the flak of bad iframe security. Annoyingly, any site with an iframe on it can't determine what locations are being accessed within the iframe to be able to accurately let there be a "report ad" feature that grabs the sites involved. Sometimes ad network iframes are nested 3-4 deep (disgusting but true) and it is impossible to read the location (yet these iframes can call window.top.location with ease).
I don't know what needs to exist but trying to work against these bad actors is nearly impossible for web devs (yet the burden is placed on the site).
Thanks for taking the time to comment - I understand it's very complex but I feel like this important subject hasn't seen a lot of real world use (we've decided against using sandboxing because it doesn't work for ads).
So, if as a normal user (someone that doesn't understand malware versus OS-level dialog) sees a big warning in their trusted browser (or a popup) without having clicked on anything at all they might be compelled to download some malware. So yes, getting sandboxed iframes right would have been amazing but in my mind it was a failure.
You don't shoot a site that links to a site that links to a site that links to malware.
You don't label a website as malware for spamming.
(I guess they think they only ones that follow the "Don't be evil" motto)
* Link to homepage is on the right-side!?
* Somehow, content text feels too thin/dull. Little bit difficult to read :)