My emby server has been flagged as a Deceptive site.

[RDSII64 4]

I found the following when I went to log into my server to watch a movie.

"Deceptive site ahead
Attackers on (my site name) may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards). Learn more"

 I used the link to report that my site has been flagged in error.

What might have caused this and how can I fix it?

[denz 426]

It sounds like you don't have a valid ssl certificate. 

[RDSII64 4]

14 minutes ago, denz said:

It sounds like you don't have a valid ssl certificate. 

I will have to check.  I use cloudflair for my reverse proxy.  I thought mine was set to auto renew. Thanks for the tip.

Edited March 26, 2021 by RDSII64

[Guest]

It can also be your domain name.. If you are using a free domain which isn't paid for.. Other sites that have also used it.. I will give an example.. This happened to me around 2002 - 2005 maybe even 2007..

My No-IP Domain was 0ofu.zapto,org and 0ofu.no-ip.net... i had to append a port number if it differed because of the free service available at the time.. 

Other site addresses were somewierdsite.zapto.org and somewierdsite.no-ip.net... or even someothersite.sytes.net... This even effected my fathers business website which I wrote for him in effort help a dying business, in a struggling economy.

When we started Web Access protection.. some of these people manually reported entire sets (hundreds of thousands) of websites as being malicious because of the way the free addresses were written.. When they reported one sites that actually was hosting a malicious file or they did not understand what was going on on the page.. even programmatic and system issues..

So the same thing started happening to me when I browsed to my site.. I got security software warnings nd people never trusted even going to my personal website which held no circumventions/drive-by downloads.. or content available for public consumption..

Edited March 26, 2021 by Guest

[RDSII64 4]

3 minutes ago, Hxemby001 said:

It can also be your domain name.. If you are using a free domain which isn't paid for.. Other sites that have also used it.. I will give an example.. This happened to me around 2002 - 2005 maybe even 2007..

My No-IP Domain was 0ofu.zapto,org and 0ofu.no-ip.net... i had to append a port number if it differed because of the free service available at the time.. 

When we started Web Access protection.. some of these people manually reported entire sets (hundreds of thousands) of websites as being malicious because of the way the free addresses were written.. When they reported one sites that actually was hosting a malicious file or they did not understand what was going on on the page.. even programmatic and system issues..

So the same thing started happening to me when I browsed to my site.. I got security software warnings nd people never trusted even going to my personal website which held no circumventions/drive-by downloads.. or content available for public consumption..

I pay $10.00 a year from google for mine. My domain name is still worth looking into though. Thanks for the help.

[RDSII64 4]

I have opened a support ticket with cloudflair.  Hopefully I will have some help soon. 

[Luke 37067]

Let us know how you get on. Thanks.

[SuperMinecraftKid 5]

I'm now getting the same issue. I use cloudflare to proxy my emby server, and now when I go to https://emby.<mydomain> in Microsoft Edge, I get a red screen saying "This site has been reported as unsafe". I pay yearly for my domain on namecheap, and I've had no issues with it for the past year or two. I've only just noticed this warning page showing up within the past month.

My SSL certificate is valid, and I have many other subdomains on this domain which are also proxied by cloudflare that aren't marked as deceptive or unsafe. Only my emby subdomain.

Has anyone been able to resolve this yet?

Edited December 28, 2022 by SuperMinecraftKid

[RDSII64 4]

7 hours ago, SuperMinecraftKid said:

I'm now getting the same issue. I use cloudflare to proxy my emby server, and now when I go to https://emby.<mydomain> in Microsoft Edge, I get a red screen saying my "This site has been reported as unsafe". I pay yearly for my domain on namecheap, and I've had no issues with it for the past year or two. I've only just noticed this warning page showing up within the past month.

My SSL certificate is valid, and I have many other subdomains on this domain which are also proxied by cloudflare that aren't marked as deceptive or unsafe. Only my emby subdomain.

Has anyone been able to resolve this yet?

I opened up a support ticket with cloud flair and if I remember correctly, I even contacted Google (that who I pay yearly for my sight name). Its been a while so I don't remember how we solved this issue but it had something to do with web scrapers In my case.  Contact Namecheap and see what help they can provide after you open a support ticket with cloudflair.

[WidowMaker99 0]

I bought a domain from google pointed it towards ip address of my home emby server 12 hours later my domain has the same deceptive google warning on it not sure why i wonder if the log in screen of emby makes google freak out… 

[budokaiman 3]

This definitely seems related to the login page as the only URLs that seem to get flagged are the login page and redirects

https://DOMAIN/emby

https://DOMAIN/emby/web/index.html

https://DOMAIN/emby/web/index.html#!/startup/manuallogin.html?serverId=SERVER_ID

I've checked 3rd party requests made when navigating to the base page and only see 2 requests made to gstatic.com (which is a google domain) and then a serviceworker.js script (which seems to actually be internal as the request URL matches my domain, but it shows up as a 3rd party request). I've also setup a completely isolated domain just for an emby instance and it got flagged within 24 hours, so I know that it's not some unrelated app on the site. I know there is also this thread, which I've commented in, don't want to duplicate things across threads, but both of these seem to have different activity across different boards, so leaving it here as well. I did also find this thread, which says that it could be due to an external resource loaded by a plugin, but I wouldn't think that any plugins or external resources should be loaded on the login page.  I'd love to believe that this is just a google error, but the frequency at which I've been blocked due to emby makes me question if there's something actually worth concern. I know the other thread says to use cloudflare, but that's really not an option for me and based on this thread, I doubt it would really help too much. I know the main app.emby.media login page functions differently than self-hosted version due to using emby connect, could there be some difference that prevents flagging?

@RDSII64Do you remember how you got in contact with google? Was it just through domain name support or was there some separate support for these search console errors (I've been unable to find much in the way of search console support and I'm not running this domain through a google domain)? You say it had something to do with scrapers, I have all robotags off so that I shouldn't appear in search results anyway.

[GrimReaper 3294]

4 minutes ago, budokaiman said:

I know the main app.emby.media login page functions differently than self-hosted version due to using emby connect

Nope, you don't have to connect through Emby Connect with hosted Web app, you can connect via IP/domain just as well, Connect is an optional feature, both for linking users on your server and connecting through hosted Web app. 

[budokaiman 3]

Ah, sorry I thought that was all part of connect. 

[GrimReaper 3294]

9 minutes ago, budokaiman said:

Ah, sorry I thought that was all part of connect. 

Yeah, happens quite often as login with Connect credentials is landing page for app.emby.media. If you skip that one, it'll take you to manual login page where you can input your IP/domain and port, like other client apps

[budokaiman 3]

I decided to do a diff of my emby data and the data of a freshly built docker container, and I don't see anything of value (It's mostly the obvious things like caches, episode/metadata, plugins, logs. There was a diff in the cache/httpclient but the only changes were download count numbers). So I think I can safely say that all files are unmodified from what they are intended to be (I did also clean out the ephemeral storage of my existing instance the other day before the re-flag).

[lucian.pearce 0]

Did anyone find a solution to this issue I got it reviewed a couple weeks ago but now it back this block every other site that is relate to the domain as well as home is a subdomain 

Here is a sample of URLs from your site where we detected social engineering content:

http://home.mydomain[.]net/web/

http://home.mydomain[.]net/

[BillybobBilly 14]

Jumping on the bandwagon here. My site is also being marked as dangerous/deceptive. Any solution/workaround to this issue?

[letterman 34]

Same to me. Today my site with emby server got flagged as dangerous/deceptive, too.

Used it for years without problems, always with trusted let's encrypt certificate. I changed nothing. 

Hope there is a solution. What did change?

 

[pwhodges 1531]

Presumably the detection changed. 

Aside from that, I believe one thing that's looked for is a site having a front page which is the same as other different sites; naturally a login page for the same software (Emby in our case) will do this.  Maybe a way of customising the login page could be a means of side-stepping this check.

Perhaps adding some personal CSS to the login page might help?

Paul

Edited March 15, 2023 by pwhodges

[letterman 34]

On the deceptive site ahead warning page is a possiblity to give feedback. I reported it as a private media player site for my family. 3 houres later the warning was gone. Nevertheless the detection seems to be changed. I do not have a special front page. All standard emby config.

[rbjtech 4265]

I presume nobody using reverse proxies is having this issues - suggesting it's an Emby Web Server 'issue' that google have.

Any views from the Core Dev's ? @Luke @ebr

[Q-Droid 643]

1 hour ago, rbjtech said:

I presume nobody using reverse proxies is having this issues - suggesting it's an Emby Web Server 'issue' that google have.

Any views from the Core Dev's ? @Luke @ebr

Per this other thread it doesn't make a difference.

 

[rbjtech 4265]

53 minutes ago, Q-Droid said:

Per this other thread it doesn't make a difference.

 

Ah ok - so maybe it's a vulnerabilities issue on the sites.  It would be interesting to see what score they get on something like ssllabs/qualys -  https://www.ssllabs.com/ssltest/index.html

edit ..

maybe emby.media wanna try to improve things as well while they are looking (capped to B as they still support TLS 1.0/1.1) .. 

Edited March 17, 2023 by rbjtech

[budokaiman 3]

Quote

Ah ok - so maybe it's a vulnerabilities issue on the sites.  It would be interesting to see what score they get on something like ssllabs/qualys

I get an A rating on my site, only knock is not supporting DNS CAA. I've since switched emby to a separate domain name, and leave everything else I have on the same domain, which is being served the same way as emby. Only the emby domain has been flagged.

[rbjtech 4265]

3 minutes ago, budokaiman said:

I get an A rating on my site, only knock is not supporting DNS CAA. I've since switched emby to a separate domain name, and leave everything else I have on the same domain, which is being served the same way as emby. Only the emby domain has been flagged.

Right ok - thanks - so probably not this then.  Shame google can give a more descriptive reason for the flag.