Deceptive Site Ahead

[GodBleak]

Describe The Bug
A domain hosting Jellyfin is flagged by Google as a "Deceptive Site".

Steps To Reproduce
Unknown

System (please complete the following information):

• Browser: Firefox, Chrome
• Jellyfin Version: 10.8.5 (linuxserver/jellyfin:10.8.5-1-ls180)

Additional Context
Google claims that https://example.tld/web/index.html

attempts to trick users into doing something dangerous, such as installing unwanted software or revealing personal information.

I've appealed to Google twice now, but the domain continues to be flagged.
This issue has been further documented on a few reddit posts:

• Deceptive Site Ahead
• "Deceptive site ahead" warning on my self hosted jellyfin web app

[thornbill]

Does entering your url here provide any information about what they believe is an issue? https://transparencyreport.google.com/safe-browsing/search

We really have nothing to go off of for this currently.

[GodBleak]

Unfortunately, this is all it says

Current status warning
This site is unsafe

The site https://example.tld/web/index.html contains harmful content, including pages that:

• Try to trick visitors into sharing personal info or downloading software

I'm unsure how I'd get more info. I'm open to sharing the domain with a maintainer privately, if it helps.

[thornbill]

Are you using any third party css?

[lednerg]

The same thing just happened to me tonight. My server's been using the same IP (from Comcast) for at least a couple years now. I'm currently on version 10.8.1 and am not using any third party CSS. I have the following plugins installed: (PNG of plugins page).

EDIT: This is blocking the Android app from working as well. So while web browsers can bypass the warning, and I can still access it on the local network, my server is completely inaccessible on remote Android devices.

[GodBleak]

Sorry @thornbill, was only just notified of updates on the thread, no I'm not using any third-party CSS

[mcshaman]

Same issue here!

[viletuna]

I'm also having the same issue. Twice now with two different servers. Both were using duck DNS and caddyv2. Requesting Google to remove the flag worked temporarily before being flagged again

[GodBleak]

I've done a bit of digging. It seems the YunoHost community is also experiencing this. With further digging I found a few things that leads me to suspect our domains are being flagged for "Insufficiently labeled third-party services".

1. While not directly related to Safe Browsing (and thus this error), I found this notice from NameCheap:

   Please be informed that the xxxxxx domain name was reported as involved in abusive activity by a trusted organization. During the investigation, it was noticed that your website content is a copy of the Bitwarden official website. On that ground, we were forced to suspend the domain name due to phishing activities, which include unauthorized use of the legitimate organization denomination and attempts to acquire sensitive information such as usernames, passwords, etc

   And they follow that up with:

   you will need to provide us with paperwork proving your cooperation with the Bitwarden website and their consent to use their official denomination in your domain name.

   This indicates that NameCheap is actively identifying and responding to IP (intellectual property) violations used for phishing. Since Bitwarden is another self-hostable, open-source project, it's highly unlikely that this action was prompted by the Bitwarden team themselves. This suggests that NameCheap is independently detecting supposed IP violations and issuing notices accordingly. This behavior appears similar to what we're experiencing with Google, hinting at a broader industry trend.

2. This comment regarding the Deceptive Site warning also seems to indicate that this is more of a branding/IP problem, rather than just an issue with the source code.

3. And this comment on StackOverflow where someone supposedly received the warning on a site imitating Netflix, also believes that the issue is a result of the imitation.

4. Eventually, I found this article by Google on social engineering where they show deceptive content examples

   This one caught my eye.
   

   Its layout is similar to the JellyFin login page, right? A page at the root path of a domain (true for both the OP of the YunoHost thread and myself) using a trusted third-party's logo in an authoritative position, with the page's sole purpose clearly being to collect credentials. YunoHost shares this layout as well. Additionally, both apps use the product name in the page title, along with the product's logo as the favicon.

I surmise that the combination of the following elements

• the page title being "JellyFin"
• the page favicon using the JellyFin logo
• the authoritative location of the JellyFin logo
• the page's sole purpose being to collect credentials, and
• the service being hosted at the root path of the FQDN

leads to Google thinking we're trying to impersonate JellyFin.

[mcshaman]

Interesting hypothesis @GodBleak. Do you know if it is possible to override all these on the landing page?

[thornbill]

I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information.

https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19

[NeonWizard]

I disputed the "deceptive site warning" through the Google search console about a week ago, and the error has yet to come back.

[VTStation]

I disputed the "deceptive site warning" through the Google search console about a week ago, and the error has yet to come back.

I'v had this issue since mid of sept , lodge a review to google via search console ,they would lift the block and then aweek later it will be blocked again. I'v been blocked 4 times , rebuilt the server the first time after finding no issues , they still blocked it and i have continued to send them the same review response " please stop blocking this private site " they have lifted the block every time.. Iv stopped sending reviews to google 'i gave up .. using jellyfin in kodi app is my work around .

[lednerg]

I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information.

https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19

Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on one line.

[VTStation]

I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information.
https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19

Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on line.

I also have qbittorrent web server running and that is blocked by google its not limited to jellyfin, Alot of people are running

I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information.
https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19

Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on one line.

Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now
.

[lednerg]

Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now

I found some older versions of the index.html file going back to last November and those meta tags haven't changed. If the tags are what the issue is, then this is something new that Google has started doing all of the sudden. I'm just a layman but I looked into what those "og" (Open Graph) tags are about and it appears that people have done phishing scams using false og tags as a way to trick people into thinking they're logging into their bank or whatever.

If this is actually what the problem is - and we don't know yet - then that would mean Google sees that your Jellyfin server has an "og:url" tag pointing to "https://jellyfin.org" - but that isn't your server's URL, so Google may be assuming you're trying to spoof people. Again, we don't know if that's what's going on. FWIW, I changed my "og:url" to my server's IP address, and changed "og:title", "og:name", and "og:description" to "lednerg's Jellyfin Server".

[VTStation]

Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now

I found some older versions of the index.html file going back to last November and those meta tags haven't changed. If the tags are what the issue is, then this is something new that Google has started doing all of the sudden. I'm just a layman but I looked into what those "og" (Open Graph) tags are about and it appears that people have done phishing scams using false og tags as a way to trick people into thinking they're logging into their bank or whatever.

If this is actually what the problem is - and we don't know yet - then that would mean Google sees that your Jellyfin server has an "og:url" tag pointing to "https://jellyfin.org" - but that isn't your server's URL, so Google may be assuming you're trying to spoof people. Again, we don't know if that's what's going on. FWIW, I changed my "og:url" to my server's IP address, and changed "og:title", "og:name", and "og:description" to "lednerg's Jellyfin Server".

I changed those og tags and guess what ", google blocked the site :/ . Is it because google detected change ?.. I'll send a review to get it unblocked with this current change , see how long it remains unblocked .

[lednerg]

It could be that you didn't change them soon enough, but like I said, we don't actually know what the problem is.

After my server was blocked by Google, I turned it off, got my IP unblocked, and temporarily switched to using an Apache server. I only turned Jellyfin back on after changing those meta tags. That was 16 days ago and my server hasn't been blocked since. I've been accessing the server from outside of my local network practically every day, in ways which would be going through Google Security, such as through Chrome browsers and Android devices. Unfortunately, I can't revert the tags back just to test if it'll block me again because I'm using this IP and Jellyfin for work; I use it to serve videos I make for my clients.

[optroodt]

I'm facing the same issue, requested to be reviewed once after which the warnings disappeared, only to return a few days later.
I went through the verification process on https://search.google.com/search-console, and then this caught my eye:

Could it be because of the service workers that Jellyfin uses? Maybe in combination with the og:url tag and asking for login details?

[VTStation]

this is what is on mine.

[Hukuma1]

Battled with this earlier. Took down my whole domain. Luckily disputing it seemed to have corrected it. Not happy to read it can still happen after, and multiple times no less...

[lednerg]

After three weeks or so with it being fine, Google has flagged my server again. I have no idea what to do, but I obviously can't use Jellyfin anymore. Just wrote a detailed saga to Google about it, but who knows if that'll even reach a conscious human.

[VTStation]

After three weeks or so with it being fine, Google has flagged my server again. I have no idea what to do, but I obviously can't use Jellyfin anymore. Just wrote a detailed saga to Google about it, but who knows if that'll even reach a conscious human.

Same here just got blocked that didn't last long, so the tag mod did not do anything :/

[VTStation]

Google still flagging site, but strangely Android apps are working ... Anyone else experiencing this to ? .. maybe google has made an exception ?

[optroodt]

FYI Without doing anything to Jellyfin, Safari no longer displays the warning for my domain, but Chrome still does.

Edited: after a week or so, it's back again in Safari too. The iOS clients worked while Safari did not show the warning, now they've stopped working.

[mike948]

I got the same warning a month ago. Afterwards I added the domain to Google Search Console and filed a review. Within a couple days they removed the warning. I just got a new email from Google Search Console saying "Social engineering content detected on <mydomain.tld>" and the warning is back. It says the deceptive page is https://mydomain.tld/web/index.html

Details about my setup: Running Jellyfin in Docker with Nginx Proxy Manager and cloudflare-ddns. Additionally have the Cloudflare DNS proxy status enabled and Cloudflare's Web Application Firewall setup to block all access outside the USA.

[VTStation]

I got the same warning a month ago. Afterwards I added the domain to Google Search Console and filed a review. Within a couple days they removed the warning. I just got a new email from Google Search Console saying "Social engineering content detected on <mydomain.tld>" and the warning is back. It says the deceptive page is https://mydomain.tld/web/index.html

Details about my setup: Running Jellyfin in Docker with Nginx Proxy Manager and cloudflare-ddns. Additionally have the Cloudflare DNS proxy status enabled and Cloudflare's Web Application Firewall setup to block all access outside the USA.

There is no fix ,. Google never ending flag , lately apps on tv and app still works which is all that matters..

[metasmash]

hey, after less than 2 months, i have been flagged again by Google Safe browser. even if I chnaged the logo, disclaimer etc. My URL is TV.domain.fr I saw that I put in the disclaimer that the website was not affiliated to jelyfin, i suppress the jellyfin mention, just in case.

I would like to know about the meta tags in the index file: I'm running watchtowerr to update my containers, and jellyfin is updated automatically. If iI change the tags in the index.html, will them still be changed when jellyfin is upgraded or not ?

regards

I think it depends on the way you're updating them. If you have manually updated your jellyfin index.html, then it restores your jellyfin index.html based on the latest version. If you're using a script on your docker compose file to replace some fields according to regex rules, then you'll keep an index.html file updated according to the specified rules.

Also, it's been 3 weeks I have published my new docker image with all meta tags changed, and my websites are still deceptive ahead.

[Echupk]

oh shit.
and I have a friend using it on a synology, (me on OMV), redirect with NPM like me.
He has never been flagged, but me yes...
and he never changed is index.html.
jist the logo and the banner at the beginnig and that's all

[metasmash]

Mh... At some point, I am wondering if the dns provider has something to do with this... Maybe can I ask you guys what dns provider are you using? I am under OVH currently. Maybe they have an automated report system or whatever flagging your websites due to policy or security issues?

[Echupk]

i was at duckdns first, an was flagged a lot, but then I learned that bots server use duckdns a lot and sometime domain where flags by mistake.
I changed recentrly to gandi.net (the same as my friend) but sill got flagged :/

[fange26]

It's Google Scrapin the Web. I read in forums that if the homepage is a login page then it will throw up a deceptive site flag. But as I stated earlier in the thread. I had google exempt my site. But the exemptions are only good for 2 months. Then after you have to do the form again. So far I haven't had any issues since my original post. <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

…

On Tue, Aug 29, 2023 at 5:02 PM OUALI Yannick ***@***.***> wrote: Mh... At some point, I am wondering if the dns provider has something to do with this... Maybe can I ask you guys what dns provider are you using? I am under OVH currently. Maybe they have an automated report system or whatever flagging your websites due to policy or security issues? — Reply to this email directly, view it on GitHub <#4076 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AH5LOWPLSAYJHBM3GQIWDXDXXW44TANCNFSM6AAAAAARJ7HJOM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[tcamargo]

My local/private jellyfin instance was flagged. After a couple of days, warning went away without any action from my side. Now, big red screen is back. I don't remember when it was flagged for the first time. More than 2 months ago for sure.

[zaffron]

having the same issue. Got flagged within hours

[tcamargo]

My local/private jellyfin instance was flagged. After a couple of days, warning went away without any action from my side. Now, big red screen is back. I don't remember when it was flagged for the first time. More than 2 months ago for sure.

And it was unflagged a couple of hours later (<24h)...

[PeeBeerBeach]

It is still working for me 2 month later. Check my previous posts to see what i did to solve it.

[yaoweiprc]

Same to me, I'm from China

[Raul824]

I started getting this same error.
Have been running below configuration from 2 years without any issues, but suddenly today got this error.

Jellyfin running on docker.
Free domain from duckdns
nginx setup with subdomain jellyfin.

I am able to proceed to the website using visit this site in details but the jellyfin android mobile keeps on crashing as soon as I put host name. Even after clearing cache and storage each time I put the public url it crashes but works on local ip.
Jellyfin android tv and findroid are working fine with public url.

[guhcampos]

I started getting this.

I have the feeling it has something to do with public DNS records pointing to private IP addresses. If you think about it, it's a very effective practice for a scammer as a man-in-the-middle attack: just drop a rogue service in someone's private network and use a lookalike public DNS to fool people into it. Since you're not hosting the page publicly, you can't be taken down by a hosting provider, then just make that service ship data to a lambda somewhere and profit from it. Might also be useful for controlling botnets, as they can use DNS for service discovery, a little bit like ASUS does with asusrouter.com.

Still, it's extremely frustrating that we can't have a way to "trust" this domain, whatever it is. It feels like Google taking our choice from us once again, and it makes me want to move off from Chrome.

[Eiziv]

Does anyone have a good workaround for this? Its really starting to annoy me

[guhcampos]

Well, there is one... Using another browser instead of Chrome.

…

On Sun, 15 Oct 2023 at 08:48 Eiziv ***@***.***> wrote: Does anyone have a good workaround for this? Its really starting to annoy me — Reply to this email directly, view it on GitHub <#4076 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZXCWHWGJVLDF7RAXDC3ITX7PESPAVCNFSM6AAAAAARJ7HJOOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRTGM3DKMBSGE> . You are receiving this because you commented.Message ID: ***@***.***>

[PeeBeerBeach]

Just read my comments. It works after what I have done

[martinbaines]

For me removing "jellyfin" from the path that redirects though the reverse proxy did it.
So the url of the form
mysubdomain.maindomain.com/jellyfin
Cause the deceptive site message
but
mysubdomain.maindomain.com/nomentionofsquashyfish
goes through just fine.

[KaXaSA]

My URL never had 'jellyfin' in the subdomain/path and still got flagged by google, maybe it's still better to not have it in the URL, but there is more to it. I'd argue that if the URL is an issue then, in my case, the DDNS provider (domain) would probably have a bigger impact, because if there are people using it for scams, then it wouldn't surprise me if google flagged everyone on the same domain.

...
I added the 'Login Disclaimer' message (Dashboard > General > Branding)

This webpage (URL_HERE) is not affiliated with anyone, etc.

(or something similar)

Then I made some changes to index page, replaced any mention of 'jellyfin', removed the background-image from .splashLogo (jellyfin logo that shows up before page loads), also made some design changes, colors, sizes, etc. to make it more unique (not sure if it matters at all).

I also updated my caddyfile with the header stuff mentioned in this issue by the other users.
(got an A+ grade on Security Headers)
Maybe it would be a good idea to update the Jellyfin Caddy page ?
...

After doing all that I had no issues for the past ~2 months, now I checked the site status (google) and I see this:

Some pages on this site are unsafe
The site [redacted] contains harmful content, including pages that:

Try to trick visitors into sharing personal info or downloading software

Unsafe content might only appear on some pages of a website. Check the URL of the specific directory or webpage you want to visit for more detailed safety info.

Hey, at least it's not the 'deceptive' message again 🤡

On my index page I still see the Jellyfin favicon and the 'Jellyfin' in the tab/page title, so I will try to remove/change both to see if it makes any difference.

Btw, changing only the <title>Jellyfin</title> in the index page doesn't really change the page title, you have to:

1. index.html - replace: <title>Jellyfin</title>
2. jellyfin-web\main.jellyfin.bundle.js - replace: document.title="Jellyfin" and probably document.title=e||"Jellyfin"

Then, if that's not enough and google block it again with the 'deceptive' message, I guess I will just ignore it and tell people to not use chrome 🤷‍♂️

---

Edit (11/Dec/2023):

Now in the site status (google) I see:

Current status
No available data

No other changes were made, aside from those replaces in the main.jellyfin.bundle.js, mentioned above.

---

Edit (25/Feb/2024):

Chrome blocking the site again.
So far the only thing that works, at least temporarily, is to add your page to google's search console and ask for a review.

Super annoying.

[Allexio]

Can confirm I changed the url from jellyfin.example.com to jelly.example.com and it didn't get blocked anymore.
Also FYI other chromium-based browsers (such as Brave) work fine.

[dana23746]

Can confirm I changed the url from jellyfin.example.com to jelly.example.com and it didn't get blocked anymore. Also FYI other chromium-based browsers (such as Brave) work fine.

same here.

[DX37]

Got blocked today. Again...

[coharness]

I recently updated the value of Server name in the admin dashboard to something besides just "Jellyfin" and haven't had the error since.

[metasmash]

Looks like my meta tags are successfully changed! It had been changed again when running javascript, but google crawlers shouldn't care about it since it doesn't execute javascript.

Here is what I've done:

modify-meta.sh

#!/bin/bash

# Generate a random string of 32 characters
RANDOM_STRING=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)

# Replace meta tag content with the random string in index.html
sed -i 's/\(<meta name="[^"]*"\s*content="\)[^"]*"/\1'"$RANDOM_STRING"'"/g; s/\(<meta property="[^"]*"\s*content="\)[^"]*"/\1'"$RANDOM_STRING"'"/g' /jellyfin/jellyfin-web/index.html

chmod +x modify_meta.sh

Dockerfile

# Use jellyfin/jellyfin:latest as base
FROM jellyfin/jellyfin:latest

# Copy our script to the container
COPY modify_meta.sh /modify_meta.sh

# Make the script executable
RUN chmod +x /modify_meta.sh

# Modify the entry point to execute our script before the main command
ENTRYPOINT ["/bin/bash", "-c", "/modify_meta.sh && exec /jellyfin/jellyfin"]

docker build -t jellyfin-meta-replace .

docker-compose.yml

version: "3.9"

services:

  jellyfin:
    image: jellyfin-meta-replace
    container_name: jellyfin
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
    volumes:
      - ./library:/config
      - ${MNT}/transcodes:/config/transcodes
      - ${MNT}/tv:/data/tvshows
      - ${MNT}/movies:/data/movies
      - ${MNT}/cache:/cache
    ports:
      - 8096:8096
    restart: unless-stopped
    labels:
     # Traefik conf
     
     #... other services

Result:

  <!-- HTML Meta Tags -->
  <title>86ssOc4eTLrkvrt8olokUgXNqp2MH2sR</title>
  <meta name="description" content="86ssOc4eTLrkvrt8olokUgXNqp2MH2sR">

  <!-- Facebook Meta Tags -->
  <meta property="og:url" content="SECRET">
  <meta property="og:type" content="website">
  <meta property="og:title" content="86ssOc4eTLrkvrt8olokUgXNqp2MH2sR">
  <meta property="og:description" content="86ssOc4eTLrkvrt8olokUgXNqp2MH2sR">
  <meta property="og:image" content="">

  <!-- Twitter Meta Tags -->
  <meta name="twitter:card" content="summary_large_image">
  <meta property="twitter:domain" content="SECRET">
  <meta property="twitter:url" content="SECRET">
  <meta name="twitter:title" content="86ssOc4eTLrkvrt8olokUgXNqp2MH2sR">
  <meta name="twitter:description" content="86ssOc4eTLrkvrt8olokUgXNqp2MH2sR">
  <meta name="twitter:image" content="">

  <!-- Meta Tags Generated via https://www.opengraph.xyz -->
        

If I get it well, this should correctly change all meta content of the website. I don't know if it is sufficient. Let's see how it goes!

The warning is now gone! Idk if this answer is related yet

[Echupk]

Since my last flag in august, I change the server name in the admin dashboard.
i change the warning on the login page (by the admin dashboard too)
and then i change the logo too, with a personnalized CSS
Since then, i never been flagged again.

Personalized CCS used:
Replace the "link_to_your_logo" to a http/https path of an image

@import url(https://cdn.jsdelivr.net/gh/prayag17/JellyFlix@latest/default.css);
/* Login Page Logo*/

.imgLogoIcon {

content: url(link_to_your_logo) !important; }

/* Main Drawer Mobile Logo*/

.adminDrawerLogo img {

content: url(link_to_your_logo) !important; }

/* Home Page Logo*/

.pageTitleWithLogo {

background-image: url(link_to_your_logo) !important; }

[SethMacKayChandler]

I had this same issue, but was able to resolve it thanks to advice in this thread. To work around this issue I changed the base URL in Jellyfin's networking settings from the default 'jellyfin' to 'stream'. I also changed my reverse proxy (ngnix subfolder) location name to match.

[gsemet]

I confirm that just putting a base url works, i set to /player, it makes the warning from chrome disappear.

[jellyfin-bot]

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.

If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or master branch, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.

This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.