HackerTrans
トップ新着トレンドコメント過去質問紹介求人

uploaderwin

no profile record

投稿

Thanks HN: Lessons learned after Google nearly killed my site

uploader.win
536 ポイント·投稿者 uploaderwin·5 年前·284 コメント

Help HN: Google just blocked my site as deceptive site

40 ポイント·投稿者 uploaderwin·5 年前·21 コメント

コメント

uploaderwin
·5 年前·議論
It's so sad that such amazing features are often abused more than they are actually used. It's always a cat and mouse game with the browser vendors and ad makers.

Like web push notifications and popups are two really useful features but the amount of abuse they have had to endure is amazing. Every shitty site from newspapers to reddit to facebook must show a dark screen and ask me to subscribe to web notifications before i can see anything.

Then there are hidden APIs for which no permission is needed, like trapping of the back button (where a site gains access to my browser's back button and won't let you go back) and page close button (where it shows a popup asking you to confirm you want to leave).
uploaderwin
·5 年前·議論
Yeah this is asking for trouble. We only had a small demo on our homepage where users could upload media files and they were deleted after 24 hours and still some people managed to abuse it and nearly got our site killed, domain blacklisted in Google with a big red screen of death.

I don't want to spam any links here but if you are interested please do look at my last post about the dangers of doing this and lessons I learned from my mistake.

Please do not keep the files for 10 days. Even 24 hours is a deal-breaker. From what I've learned, anything more than 30 minutes can get you into trouble.
uploaderwin
·5 年前·議論
Hey guys! Great news.

Looks like Google just removed us from the blacklist. Maybe somebody from Google saw this or maybe I got reviewd quickly but I couldn't be happier.

Here are a few things I did

- Removed all inline images (As mentioned in my other comments a lot of virus sites were tagging me base64 embedded due to inline images)

- Disabled test uploads for now. I will probably make the test file expire after 2 mins and never host them on the same domain

- Moving the external scripts to another domain. You never know what can get you blacklisted so best to keep customer facing part separate from main domain.

I cannot be more thankful to all the people who replied and offered suggestions. You guys rock!

P.S. In case you guys still seeing the red screen of death, please let me know.
uploaderwin
·5 年前·議論
Thanks for checking and help.

Yes I too believe this could be one of the cause as I've mentioned below in another comment, virustotal site says 'base64-embedded'.

Those are just svg images I've embedded in the html to reduce the number of requests. But I'm not taking chances and making them seperate files.
uploaderwin
·5 年前·議論
Yes this is 100% correct and I was thinking the same. The homepage, test storage and external script cannot share the domain. I have already started making these changes.
uploaderwin
·5 年前·議論
Yes you are correct they can download it too. After thinking about it for the last 4 hours that is all i can think off caused the problem. I have nothing which can be called deceptive text on any of my site otherwise.

I will probably delete files after 2 mins instead of 24 hours.

Another option is I ask for credit card details before I let them try the demo. This can get rid of letting anyone misusing the demo features.
uploaderwin
·5 年前·議論
The upload goes to the customers AWS account or Digitalocean spaces account. We do not host any cutomer's file.

Also it always opens-up a file popup so it can't be used deceptively.

Regarding the name it's short form of 'Uploader window' like Filer Picker. Really can't do much about that.

Thanks for helping it in reporting it as incorrect.
uploaderwin
·5 年前·議論
This is so strange. Unfortunately I can't find any security issue on the server or any files that caused this.

Here is a screenshot of webmaster tools(1). The pages it lists are html pages and I've checked the source code and there are no script or anything on them.

Also the virustotal site says 'base64-embedded'. Those are just svg images I've embedded in the html to reduce the number of requests. That can't be a trigger right?

(1) https://i.imgur.com/iHYWyG4.png
uploaderwin
·5 年前·議論
We don't offer any hosting. The demo on our website is way for people to actually see how the uploader will look in their own apps. Most companies like ours offer similar demos to their users too.