My emby server has been flagged as a Deceptive site.

[Q-Droid 657]

I'll ask again since I haven't seen a response. Trying to identify a pattern for this in addition to the already suspected causes. There are so many who are not being flagged including forum regulars.

- What ports are the flagged sites using? Not that the ports are an issue but I'm wondering if common ports are more likely to get scanned and flagged.

- Are the flagged sites using a sub-domain such as emby.<domain>? These might appear to be even more suspect as impersonators than FQDN which doesn't include emby in the name. Once the sub-domain is flagged then it would be logical that the entire domain gets flagged if not free DNS/DDNS.

 

[pwhodges 1534]

I have not been flagged.  I use a domain starting emby.xxx which requires https on port 443 (80 also works, but only by virtue of immediately redirecting to 443).  I do not expose Emby's own default ports, and I'm running the beta (so hopefully I am now safer from this nuisance).

Paul

[Animosity022 6]

Just now, pwhodges said:

I have not been flagged.  I use a domain starting emby.xxx which requires https on port 443 (80 also works, but only by virtue of immediately redirecting to 443).  I do not expose Emby's own default ports, and I'm running the beta (so hopefully I am now safer from this nuisance).

Paul

I use a emby.xxx only on port 443, no redirect. Almost identical to you minus the 80 part. I've removed Emby again and will probably take me another year or so before I decide to check it out again as I seem to always come back to see how things are.

[rbjtech 4302]

Same here emby.x.x on 443/80 redirect.  From the nginx web logs, I can clearly see (uk) Google probing -   I've been on the beta for a while, but these header changes were only made fairly recently - but I've never been flagged.

[pwhodges 1534]

My base domain gets a fair amount of unrelated usage; I wonder if that contributes to their assessment of the domain as a whole.

Paul

[Q-Droid 657]

44 minutes ago, pwhodges said:

I have not been flagged.  I use a domain starting emby.xxx which requires https on port 443 (80 also works, but only by virtue of immediately redirecting to 443).  I do not expose Emby's own default ports, and I'm running the beta (so hopefully I am now safer from this nuisance).

Paul

I asked because mine does not include emby in the name and uses the default port value externally even though behind a reverse proxy. It rarely gets scanned, most recently a few months ago by internet-measurement.com and on a different WAN IP (recent ISP change).  I'm running the stable release and manually updated the meta tags mentioned earlier in the thread but if the site wasn't probed/scanned before then likely doesn't matter.

My server gets very little external traffic and it's unknown if activity might also be a factor.

Edit: Another thing - if using Google DNS (8.8.8.8) for name resolution could that pique their interest in a site?

Edited May 6, 2023 by Q-Droid

[Spaceboy 2500]

i got flagged today. its annoying because personally i connect remotely through an openvpn server hosted on my pfsense router but i have some less technical family members that access my server and they would struggle with installing a vpn and ensuring it remains connected when they want use it.

so i will be following these instructions very shortly...

edit - oh you have to be on beta.... well they'll have to wait then...

Edited May 6, 2023 by Spaceboy

[Q-Droid 657]

If you want to try it you can still modify the index.html in the stable release.  These are the lines I removed from mine but I am not a good test case since I haven't been flagged.

# diff -b index.html.mod index.html.orig
7a8
>     <meta name="description" content="Emby Server">
13a15
>     <meta name="application-name" content="Emby">
14a17,23
>     <meta property="og:title" content="Emby">
>     <meta property="og:site_name" content="Emby">
>     <meta property="og:url" content="https://emby.media">
>     <meta property="og:description" content="Energize your media.">
>     <meta property="og:type" content="article">
>     <meta property="fb:app_id" content="1618309211750238">
>     <meta name="apple-itunes-app" content="app-id=992180193">
 

[worthmo 10]

I removed the following from my index.html

<meta name="description" content="Emby Server">
<meta name="application-name" content="Emby">
<meta property="og:title" content="Emby">
<meta property="og:site_name" content="Emby">
<meta property="og:url" content="https://emby.media">
<meta property="og:description" content="Energize your media.">
<meta property="og:type" content="article">
<meta property="fb:app_id" content="1618309211750238">
<meta name="apple-itunes-app" content="app-id=992180193">

 

Requested a review from google.  Was cleared on 5/7 and reflagged again on 5/8. Has anybody else that manually cleared out these values been re-flagged?

[worthmo 10]

What is the process to uninstall beta and re-install 4.8 when it becomes available?  I do not want to lose any settings, users, or watched status.

[Luke 37151]

5 minutes ago, worthmo said:

What is the process to uninstall beta and re-install 4.8 when it becomes available?  I do not want to lose any settings, users, or watched status.

Just install stable over the top once the version number catches up.

[pwhodges 1534]

Specifically, you can't go back to 4.7 without rebuilding everything in a new installation, because of changes in the database structure.

There may be ways to back up and restore (after rebuilding) the information you specify, but I don't have that info at my fingertips right now.

Paul

[n8tie 1]

i use nginx as a revese proxy (80+443 on an subdomain) and got flagged the third time, just a few days after removal it starts again on all of my *.domain.

was thinking about https://www.nginx.com/resources/wiki/modules/substitutions/ but until now i was tooo lazy and the apps work fine.

just 1 or 2 members of my family asked about their red browser

[DarkZrobe 3]

11 hours ago, n8tie said:

i use nginx as a revese proxy (80+443 on an subdomain) and got flagged the third time, just a few days after removal it starts again on all of my *.domain.

was thinking about https://www.nginx.com/resources/wiki/modules/substitutions/ but until now i was tooo lazy and the apps work fine.

just 1 or 2 members of my family asked about their red browser

Are you on 4.8 yet? I havnt been reflagged as far as I know since moving to 4.8

[n8tie 1]

no, i stay on stable :)

[trinected 7]

Hi, a week ago, it started:
Google is complaining all my sites to have phishing contents:



Checking the Google Search Console:


Installed v4.7.11.0 by Docker on Linux, but it's complaining about the web-ui of Emby - none other. So, it seems to be irrelevant how it is installed, isn't it?
The last time I clicked the "Request Review", after a few days it has been removed from their list. But now it is coming again.

What could be the problem? The login-page is not valid to be accessible over the internet?

Thank you for your assist. @trinected

[pwhodges 1534]

Have you read the thread you've added your report to? - it includes a discussion of possible causes.   Recently, the Emby landing page has been modified in beta, which it is hoped will stop this happening; since the specific cause is not actually known (that's to say, Google doesn't give any real detail), it is not absolutely certain this is the final answer, but there have been no reports of the issue happening to people running the beta since the change was made (as far as I know).  I presume this has not been back-ported to the stable version yet because it is still considered to be under evaluation.

Paul

[zepx 1]

Just reporting in that after using the beta for close to a month now and my site hasn't been flagged.

I previously tried modifying the docker image's metadata each time, but still got flagged. My guess is that the metadata was too simple like "Personal Server" and probably other users had the same name.

[BigToach 0]

My domain just got flagged with this too. emby.domain.com proxied via Traefik and DNS/SSL through cloudflare.

The error is:

Quote

These pages attempt to trick users into doing something dangerous, such as installing unwanted software or revealing personal information. Learn more

I'll try removing the meta tags and see how it goes.

[rbjtech 4302]

I think this is another case of a 'fix' being held too long in Beta - and zero formal communication.

This is not a highly complex functionality change, it is simply the headers being changed/removed - so personally, I think this should have been released as a preventitive security related Patch on the Stable release simply to avoid the impact of potentially damaging the reputatation of emby should mis-information get into the main social media channels ...

 

 

Edited May 23, 2023 by rbjtech

[Luke 37151]

We're looking at putting together a new stable maintenance release with this update. Thanks guys.

[trinected 7]

Spoiler: the update does not help. Unmarked, one day later marked again.  

[darkassassin07 432]

2 minutes ago, trinected said:

Spoiler: the update does not help. Unmarked, one day later marked again.  

The most recent update was purely a security update in regards to the massive security breach that's been the hot topic all week.

 

Wait for v4.8

[KMBanana 84]

3 minutes ago, darkassassin07 said:

The most recent update was purely a security update in regards to the massive security breach that's been the hot topic all week.

 

Wait for v4.8

4.7.12 stable also contained the changes that Emby devs hoped would prevent this.  
https://github.com/MediaBrowser/Emby.Releases/releases

"Adjust web app html tags to avoid false detection from Chrome as impersonating the Emby domain"

[darkassassin07 432]

-redacted- I can't read....

Edited May 30, 2023 by darkassassin07