Add note about Google False positives with this repo

[jules2689]

The problem

Today I noticed that all of my subdomains, including my personal website, are marked as "Deceptive":

I was hosting this repo at spotify.ep.jnadeau.ca for personal use, restricted it to only allow myself to login, and Google's AI marked all of my websites as deceptive as a result. I've since moved this to a different domain behind basic auth as well.

Why this change?

I can only assume that their AI has made the conclusion that I was phishing as the domain has spotify in the title and the log in page looks somewhat like Spotify's.

This PR thus adds a warning to the README as a proposed mitigation for users. I'm not set on this merging, especially if we take other mitigations!

What else can be done?

This PR is a very basic mitigation. I would also suggest that the login page changes

Spotify	Your Spotify

In this comparison we see that the overall login page is quite different, but the typography and button style are quite similar.

I'd suggest the button style be changed and typography be changed, or perhaps a warning alert added to indicate this is not spotify.

[Yooooomi]

It also happened to me! Did not know it was something to do with YourSpotify

[Yooooomi]

I would be curious to know the exact reasons though. My opinion is that we can implement many thoughts we have and still have our websites blocked.

[jules2689]

Yes! I agree, it's a clear overreach of a poorly made AI by google imo.

I suspect they use some basic heuristics, such as the login page having similar styles and the url having the word Spotify in it. Hence my suggestions in this pr.

Unfortunately all they tell me is that "Spotify.ep.jnadeau.ca/login is trying to steal people's information" (obviously untrue). Hence my conclusion. I even use google workspace for my email, so I escalated to that support and got nowhere.

Do you think there are other basic mitigations that can happen here?

[ItsLogic]

Ended up with the same issue here and got my whole domain flagged. I have changed the subdomain to remove the word spotify on the recommendation of this PR now and I'm waiting on a review to see if it goes back to normal. I will comment here again if/when google manage to review it just to confirm if this advice works.

[Yooooomi]

I did a report but did not change anything, even though my domain contains Spotify. They cleared the flag. So it's likely that they will clear yours too.

[jules2689]

I wonder if we need to change the login page to have a big disclaimer or use different colour schemes?

[ItsLogic]

I did a report but did not change anything, even though my domain contains Spotify. They cleared the flag. So it's likely that they will clear yours too.

Nice to know but I as have already changed it and updated my things to reflect the change I probably wont change it back at this point. Google are really giving me the run around with trying to get my domain cleared though.

I got a response to my request the day after I made my post although I have my suspicions its a response to an earlier request which I made before I knew it was this page and before they had given me the sample URLs (I assumed a later request would overwrite the first one but this seems to have not been the case)

The review came back clean but annoyingly the page warnings and security issue on the search console still stand.

Guess I just need to wait for a second review...

I wonder if we need to change the login page to have a big disclaimer or use different colour schemes?

Without knowing the kind of automated systems they have in place I'm not too confident in the impact of a disclaimer. I do think a change in colour scheme is a good idea to try and avoid false positives though.

[jules2689]

@ItsLogic Im not confident either :) I'm making some guesses here as to what the problem is, but mostly wanted the conversation and for this to serve as some documentation.

Colour scheme changes make sense to me too!

[Yooooomi]

I've been getting my 5th report in a month yesterday. I feel like it's just the login screen that causes issues. An ANONYMIZE_LOGIN_PAGE mode that does not quote Spotify should solve the problem in my opinion. I'll have a look this week.

[idunwannagotoschool]

My third time yesterday.

[Yooooomi]

Do your subdomains guys contain the word Spotify?

[idunwannagotoschool]

yes

[Yooooomi]

Maybe you should consider renaming to music.domain.com

[Yooooomi]

This has been adressed in 1.7.1 so I feel like this is not up to date anymore. Thanks a lot for your contribution guys. Please don't hesitate to reopen if it starts striking again. And yeah, be sure to omit spotify in your domain.