Google warning - Deceptive site ahead

[timyyo]

We have implemented this bundle and are live with it. Some users get the red screen of google which says deceptive ahead.

We're using the authorization code grant flow, on request number 5 sometimes users receive the deceptive site ahead warning. In the google search console I have no information regarding it and I can just report it as false flag. Then google flags it as solved but few days later it's back.

I think the issue is that google think this code parameter here is malicious code, it always happens on that particular call.

def5020055a6848bbf81a98451efba202234241ae4d309b9308bd565290ad88cd61f07253fe660f70274ce1e8b501763fdfe02f6fe9d4b563bf880eef9d1638a89657d6cd3538b1c44a9d78a9e1ebffd103985b6ce7d680719bd35b5cb73ce0a71090498ea7894620a5395ea646186808d2ba7185840d57a34706a923c4ce9aa454da7ab4f27ea8dfa223973dae5a41f1db2fa054012c8e58e1e202d59f86f044c0558af1e48d10ad4ad78fc539a1cc3bc5d273f7e331d91f5cc39f0b68e60828490160c4dd5d70244f0b4799c90925c57306196ab6d900257fecffe0310799f70b9088e9bca0ea52e0173d499535ea845497316f5f99e50e3f994048ef6d615dff61559cd8889670e987e42c797ac6305a2b8a5d8aabc564bbec9eedd85d87dd39ddaccdb4fe9761e9e968b5cacf89e8e6b5868c3ad82f0422c8b5426094dcb11796b7be288deff11c1dd672121d7499bed88aee540a934d6c714a903941460f025767c2cd90837384bcfff89e068f45b8e680b5a3f4da93b68139014253130493d5a5acdcde9f56445300d74277b6c12e6d0045e243ec6bbc29eee26c0ba05b306badb8424aea150505

My entire application is rather complex and I can't shorten the parameters, here: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L368

Does anybody have an idea how to deal with this issues?

1. 302 https://auth.myapp.com/ 2. 302 https://login.myapp.com/login?identifier=demo2 3. 302 https://auth.myapp.com/consent?code_challenge_method=S256&state=a2f1dc186493cfec4c01d8956f1b851c&scope=&response_type=code&approval_prompt=auto&redirect_uri=https://login.myapp.com/connect/kauth/check?identifier%3Ddemo2&client_id=myapp 4. 302 https://auth.myapp.com/authorize?code_challenge_method=S256&state=a2f1dc1864adscfec4c01d8956f1b851c&scope=&response_type=code&approval_prompt=auto&redirect_uri=https://login.myapp.com/connect/kauth/check?identifier%3Ddemo2&client_id=myapp 5. 302 https://login.myapp.com/connect/kauth/check?identifier=demo2&code=def5020055a6848bbf81a98451efba202234241ae4d309b9308bd565290ad88cd61f07253fe660f70274ce1e8b501763fdfe02f6fe9d4b563bf880eef9d1638a89657d6cd3538b1c44a9d78a9e1ebffd103985b6ce7d680719bd35b5cb73ce0a71090498ea7894620a5395ea646186808d2ba7185840d57a34706a923c4ce9aa454da7ab4f27ea8dfa223973dae5a41f1db2fa054012c8e58e1e202d59f86f044c0558af1e48d10ad4ad78fc539a1cc3bc5d273f7e331d91f5cc39f0b68e60828490160c4dd5d70244f0b4799c90925c57306196ab6d900257fecffe0310799f70b9088e9bca0ea52e0173d499535ea845497316f5f99e50e3f994048ef6d615dff61559cd8889670e987e42c797ac6305a2b8a5d8aabc564bbec9eedd85d87dd39ddaccdb4fe9761e9e968b5cacf89e8e6b5868c3ad82f0422c8b5426094dcb11796b7be288deff11c1dd672121d7499bed88aee540a934d6c714a903941460f025767c2cd90837384bcfff89e068f45b8e680b5a3f4da93b68139014253130493d5a5acdcde9f56445300d74277b6c12e6d0045e243ec6bbc29eee26c0ba05b306badb8424aea150505&state=a2f1dc186493cfec4c01d8956f1b851c

[Sephster]

Have you checked here to find out why Google is flagging the content? https://developers.google.com/search/docs/monitor-debug/security/social-engineering

[timyyo]

Yes the only information I can see there is the following:

It's basically impossible to get in touch with some human to get more info.. I'm offering since many years an adminstration saas solution, everything is completely legit. The business is online since almost 10 years and before oauth i never faced such issues.

[Sephster]

That's very strange. I would request a review if you haven't done so already but I suspect this issue will be specific to your site. With the ubiquity of Chrome and the large user base of this package, I would have expected more notifications of this if there was something the package was doing to trigger the issue

[timyyo]

Well I did request a review and it takes 1-3 business days until something happens. I already had this issue once and then it was marked as resolved but came back a month later. I was thinking back then its cause of cross domain redirects. I have then merged all on one domain but still face the issue and can only think of the authorization code which gets flagged as malicious.

[Sephster]

Did you receive a reply and a root cause @timyyo ?

[timyyo]

The answer of google was:

"Thanks for contacting the Google Search Central support team. It seems that you were facing issues with a security report in Google Search Console for "Deceptive site ahead". I couldn't find any security issues on your website at this moment. Everything seems to be working as intended. If you've requested a review, check your Message Center. It might have been approved.

Should you need further assistance, reach out to us again.

Thanks!"

I have asked again what exactly has been flagged but did not receive any answer yet.

[timyyo]

I think they don't understand their own algorithm and can't give an answer what's the specific issue. The answer I'm getting is the following:

"Thank you for your patience.

The Safe Browsing Team has informed me that your site has been removed from the list and the team will engage in enhanced monitoring to reduce the risk of it being readded. There is no further action necessary on your part. In order to protect over Four Billion devices every day from phishing and malware equitably the Safe Browsing team has to maintain a consistent process for all webmasters. I realize that any enforcement action can be a challenging experience so we have a dedicated system to review each case to enable webmasters to remediate any issues and be removed from the Safe Browsing List. I hope this helps!"

[Sephster]

That's so frustrating that they can't point to why you've been flagged. If there was something in the request such as a header or redirect issue, we could look at fixing it.

The fact this hasn't been reported to us more widely suggests it is specific to your site but as to why, I've no idea. If you want to shorten the tokens you could maybe use a diff encryption algorithm.

I will close this for now as I don't think there is anything we can address but if you do hear anything more concrete please let us know. Thanks for keeping us updated on this.