jellyfin-web
jellyfin-web copied to clipboard
jellyfin
Deceptive Site Ahead
Describe The Bug A domain hosting Jellyfin is flagged by Google as a "Deceptive Site".
Steps To Reproduce Unknown
System (please complete the following information):
- Browser: Firefox, Chrome
- Jellyfin Version: 10.8.5 (linuxserver/jellyfin:10.8.5-1-ls180)
Additional Context Google claims that https://example.tld/web/index.html
attempts to trick users into doing something dangerous, such as installing unwanted software or revealing personal information.
I've appealed to Google twice now, but the domain continues to be flagged. This issue has been further documented on a few reddit posts:
Does entering your url here provide any information about what they believe is an issue? https://transparencyreport.google.com/safe-browsing/search
We really have nothing to go off of for this currently.
Unfortunately, this is all it says
Current status warning This site is unsafe
The site https://example.tld/web/index.html contains harmful content, including pages that:
- Try to trick visitors into sharing personal info or downloading software
I'm unsure how I'd get more info. I'm open to sharing the domain with a maintainer privately, if it helps.
The same thing just happened to me tonight. My server's been using the same IP (from Comcast) for at least a couple years now. I'm currently on version 10.8.1 and am not using any third party CSS. I have the following plugins installed: (PNG of plugins page).
EDIT: This is blocking the Android app from working as well. So while web browsers can bypass the warning, and I can still access it on the local network, my server is completely inaccessible on remote Android devices.
Sorry @thornbill, was only just notified of updates on the thread, no I'm not using any third-party CSS
I'm also having the same issue. Twice now with two different servers. Both were using duck DNS and caddyv2. Requesting Google to remove the flag worked temporarily before being flagged again
I've done a bit of digging. It seems the YunoHost community is also experiencing this. With further digging I found a few things that leads me to suspect our domains are being flagged for "Insufficiently labeled third-party services".
-
While not directly related to Safe Browsing (and thus this error), I found this notice from NameCheap:
Please be informed that the xxxxxx domain name was reported as involved in abusive activity by a trusted organization. During the investigation, it was noticed that your website content is a copy of the Bitwarden official website. On that ground, we were forced to suspend the domain name due to phishing activities, which include unauthorized use of the legitimate organization denomination and attempts to acquire sensitive information such as usernames, passwords, etc
And they follow that up with:
you will need to provide us with paperwork proving your cooperation with the Bitwarden website and their consent to use their official denomination in your domain name.
This indicates that NameCheap is actively identifying and responding to IP (intellectual property) violations used for phishing. Since Bitwarden is another self-hostable, open-source project, it's highly unlikely that this action was prompted by the Bitwarden team themselves. This suggests that NameCheap is independently detecting supposed IP violations and issuing notices accordingly. This behavior appears similar to what we're experiencing with Google, hinting at a broader industry trend.
-
This comment regarding the Deceptive Site warning also seems to indicate that this is more of a branding/IP problem, rather than just an issue with the source code.
-
And this comment on StackOverflow where someone supposedly received the warning on a site imitating Netflix, also believes that the issue is a result of the imitation.
-
Eventually, I found this article by Google on social engineering where they show deceptive content examples
This one caught my eye.
Its layout is similar to the JellyFin login page, right? A page at the root path of a domain (true for both the OP of the YunoHost thread and myself) using a trusted third-party's logo in an authoritative position, with the page's sole purpose clearly being to collect credentials. YunoHost shares this layout as well. Additionally, both apps use the product name in the page title, along with the product's logo as the favicon.
I surmise that the combination of the following elements
- the page title being "JellyFin"
- the page favicon using the JellyFin logo
- the authoritative location of the JellyFin logo
- the page's sole purpose being to collect credentials, and
- the service being hosted at the root path of the FQDN
leads to Google thinking we're trying to impersonate JellyFin.
Interesting hypothesis @GodBleak. Do you know if it is possible to override all these on the landing page?
I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information.
https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19
I disputed the "deceptive site warning" through the Google search console about a week ago, and the error has yet to come back.
I disputed the "deceptive site warning" through the Google search console about a week ago, and the error has yet to come back.
I'v had this issue since mid of sept , lodge a review to google via search console ,they would lift the block and then aweek later it will be blocked again. I'v been blocked 4 times , rebuilt the server the first time after finding no issues , they still blocked it and i have continued to send them the same review response " please stop blocking this private site " they have lifted the block every time.. Iv stopped sending reviews to google 'i gave up .. using jellyfin in kodi app is my work around .
I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information.
https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19
Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on one line.
I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information. https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19
Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on line.
I also have qbittorrent web server running and that is blocked by google its not limited to jellyfin, Alot of people are running
I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information. https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19
Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on one line.
Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now .
Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now
I found some older versions of the index.html file going back to last November and those meta tags haven't changed. If the tags are what the issue is, then this is something new that Google has started doing all of the sudden. I'm just a layman but I looked into what those "og" (Open Graph) tags are about and it appears that people have done phishing scams using false og tags as a way to trick people into thinking they're logging into their bank or whatever.
If this is actually what the problem is - and we don't know yet - then that would mean Google sees that your Jellyfin server has an "og:url" tag pointing to "https://jellyfin.org" - but that isn't your server's URL, so Google may be assuming you're trying to spoof people. Again, we don't know if that's what's going on. FWIW, I changed my "og:url" to my server's IP address, and changed "og:title", "og:name", and "og:description" to "lednerg's Jellyfin Server".
Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now
I found some older versions of the index.html file going back to last November and those meta tags haven't changed. If the tags are what the issue is, then this is something new that Google has started doing all of the sudden. I'm just a layman but I looked into what those "og" (Open Graph) tags are about and it appears that people have done phishing scams using false og tags as a way to trick people into thinking they're logging into their bank or whatever.
If this is actually what the problem is - and we don't know yet - then that would mean Google sees that your Jellyfin server has an "og:url" tag pointing to "https://jellyfin.org" - but that isn't your server's URL, so Google may be assuming you're trying to spoof people. Again, we don't know if that's what's going on. FWIW, I changed my "og:url" to my server's IP address, and changed "og:title", "og:name", and "og:description" to "lednerg's Jellyfin Server".
I changed those og tags and guess what ", google blocked the site :/ . Is it because google detected change ?.. I'll send a review to get it unblocked with this current change , see how long it remains unblocked .
It could be that you didn't change them soon enough, but like I said, we don't actually know what the problem is.
After my server was blocked by Google, I turned it off, got my IP unblocked, and temporarily switched to using an Apache server. I only turned Jellyfin back on after changing those meta tags. That was 16 days ago and my server hasn't been blocked since. I've been accessing the server from outside of my local network practically every day, in ways which would be going through Google Security, such as through Chrome browsers and Android devices. Unfortunately, I can't revert the tags back just to test if it'll block me again because I'm using this IP and Jellyfin for work; I use it to serve videos I make for my clients.
I'm facing the same issue, requested to be reviewed once after which the warnings disappeared, only to return a few days later.
I went through the verification process on https://search.google.com/search-console, and then this caught my eye:
Could it be because of the service workers that Jellyfin uses? Maybe in combination with the og:url tag and asking for login details?
Battled with this earlier. Took down my whole domain. Luckily disputing it seemed to have corrected it. Not happy to read it can still happen after, and multiple times no less...
After three weeks or so with it being fine, Google has flagged my server again. I have no idea what to do, but I obviously can't use Jellyfin anymore. Just wrote a detailed saga to Google about it, but who knows if that'll even reach a conscious human.
After three weeks or so with it being fine, Google has flagged my server again. I have no idea what to do, but I obviously can't use Jellyfin anymore. Just wrote a detailed saga to Google about it, but who knows if that'll even reach a conscious human.
Same here just got blocked that didn't last long, so the tag mod did not do anything :/
Google still flagging site, but strangely Android apps are working ... Anyone else experiencing this to ? .. maybe google has made an exception ?
FYI Without doing anything to Jellyfin, Safari no longer displays the warning for my domain, but Chrome still does.
Edited: after a week or so, it's back again in Safari too. The iOS clients worked while Safari did not show the warning, now they've stopped working.
I got the same warning a month ago. Afterwards I added the domain to Google Search Console and filed a review. Within a couple days they removed the warning. I just got a new email from Google Search Console saying "Social engineering content detected on <mydomain.tld>" and the warning is back. It says the deceptive page is https://mydomain.tld/web/index.html
Details about my setup: Running Jellyfin in Docker with Nginx Proxy Manager and cloudflare-ddns. Additionally have the Cloudflare DNS proxy status enabled and Cloudflare's Web Application Firewall setup to block all access outside the USA.
I got the same warning a month ago. Afterwards I added the domain to Google Search Console and filed a review. Within a couple days they removed the warning. I just got a new email from Google Search Console saying "Social engineering content detected on
<mydomain.tld>" and the warning is back. It says the deceptive page ishttps://mydomain.tld/web/index.htmlDetails about my setup: Running Jellyfin in Docker with Nginx Proxy Manager and cloudflare-ddns. Additionally have the Cloudflare DNS proxy status enabled and Cloudflare's Web Application Firewall setup to block all access outside the USA.
There is no fix ,. Google never ending flag , lately apps on tv and app still works which is all that matters..
I suspect it could be reverse proxy settings. This block seems to cause issues:
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
At least this is my initial suspicion.
Iv experience with and without reverse proxy .. google just flag regardless.
this seems like it worked for me...... I have gone 2 weeks without being flagged again, after I changed the tags
I got flagged last Sunday (2022.12.25) and after reading about this issue I immediately submitted a review request on google search console. flag was removed on Wednesday (2022.12.28), and then just auto flagged again today (2022.12.31). I have just updated the og: meta tags as suggested here and will report results in a few weeks
