It's so sad that such amazing features are often abused more than they are actually used. It's always a cat and mouse game with the browser vendors and ad makers.
Like web push notifications and popups are two really useful features but the amount of abuse they have had to endure is amazing. Every shitty site from newspapers to reddit to facebook must show a dark screen and ask me to subscribe to web notifications before i can see anything.
Then there are hidden APIs for which no permission is needed, like trapping of the back button (where a site gains access to my browser's back button and won't let you go back) and page close button (where it shows a popup asking you to confirm you want to leave).
Push notifications in Safari just suck because the discoverability method is a dialogue box that interrupts and blocks all other user actions.
The browser should never let a website interrupt unless allowed by the user. Place a bell icon in the address bar and make it translucently balloon up when triggered for visibility.
Side note: Browser interface should stay outside the untrusted zone of web content. Whenever it can't, interface could have an unobtrusive unimitable background pattern extending from the trusted zone into the untrusted zone. The user should always know what is browser or website.
Well, in the case of news, they need to make money. If they can’t show you ads, you are of zero value to them, only adding to costs (and I hate the practice just as much)
What I want since forever is a tipjar that works well. I put a bit of credit into my tipjar. I read an article and at the halfway point it allows me to tip an amount. Should be anonymous if I want and a one or two clicks affair.
Yeah this is asking for trouble. We only had a small demo on our homepage where users could upload media files and they were deleted after 24 hours and still some people managed to abuse it and nearly got our site killed, domain blacklisted in Google with a big red screen of death.
I don't want to spam any links here but if you are interested please do look at my last post about the dangers of doing this and lessons I learned from my mistake.
Please do not keep the files for 10 days. Even 24 hours is a deal-breaker. From what I've learned, anything more than 30 minutes can get you into trouble.
I once had a location-based file sharing service that also got blacklisted by Google with no recourse. I hate Google trying to police the internet with no timely appeals process.
I wonder though if you could simply just block the Google crawler and bypass it. Or use a JavaScript to auto-POST something before the file gets sent for download. The Google crawler doesn't issue POST requests as far as I know.
There wasn't any danger. Nothing more than Google Drive or Dropbox. And they didn't have any way to contact them and explain. Way to heavy-handedly shut down a potential business idea.
I'm surprised to hear that because their response in dealing with actual child porn is absolute atrocious. A sick and sad story:
Couple years ago got a DM from an ex-colleague and security researcher who discovered child porn that was publicly accessible. he contacted Dropbox several times over the course of 3 weeks. Weeks later the links were still up. I reached out to somebody I knew at Dropbox who said they were reluctant to do me this favor and deal with that matter and would prefer if I continue contacting their security. I continued trying on LinkedIn and contacted several people in Germany and the UK. No response other than "thank you for your email". The head of security in Germany even blocked me for saying "there is child porn on the site please help me get hold of somebody in charge". Getting really fed up by then, I contacted sales from my company email (a fortune 500 company) and asked them to give me a quote for what looked to them like a multi million $ client. Within 2 hours I got a call from the VP of sales to talk about my "storage needs". I told them about the child porn and that they are helping to actively distribute it now since several weeks. One of the videos was a girl not older than 7 getting raped and tortured. It took another 3 days to take down the material.
Yeah honestly if I saw something like that I would have saved an offline copy on a USB stick and handed it to police for investigation. The problem that it even happens is much greater than the problem of online distribution, and deleting it and pretending it didn't happen isn't a satisfactory response.
Automation; the bare minimum would be to scan for known child sexual abuse material hashes - if you're not doing that, then opening up anonymous uploads is very risky, as for CSAM (unlike most other things) you may be personally liable even if it's distributed there without your knowledge. Cloudfare's CSAM scanning tool is one option that may help, there are other options.
You can't rely on the good faith of users, if your service is easily usable for crime, it will be used for it.
"You can't rely on the good faith of users; if your service is easily usable for crime, it will be used for it." - should be on every developer's login screen
And every developer needs to explain this to clients.
I had a client wanting to defer identity validation on a two-sided market system. I had to explain how it would be used for money laundering. It had never occurred to the client.
> Google Drive scans a file for viruses before the file is downloaded or shared. If a virus is detected, users cannot convert the infected file to a Google Doc, Sheet, or Slide, and they'll receive a warning if they attempt these operations.
So at least some degree of automated moderation is going on. Frankly, I'd be astounded if some amount of scanning isn't being done for illegal content and/or phishing stuff.
Can you remedy this problem by making it so that anyone can delete the file? That way anyone can take it down if they have a problem with it? It's supposed to be ephemeral storage anyway... people might not mind having files disappear.
1. Many people are more likely to go to a lot of effort to complain loudly and widely rather than hit a simple "delete this" link.
2. Such feature is basically a self-DoS. If someone takes a disliking to the app or a user of it they can script up a "delete everything" and fire it off.
Similar sites like http://ix.io/ have been up for many years with no issues. I assume spam can be a problem, but these sites must have figured something out.
Looks like Google just removed us from the blacklist. Maybe somebody from Google saw this or maybe I got reviewd quickly but I couldn't be happier.
Here are a few things I did
- Removed all inline images (As mentioned in my other comments a lot of virus sites were tagging me base64 embedded due to inline images)
- Disabled test uploads for now. I will probably make the test file expire after 2 mins and never host them on the same domain
- Moving the external scripts to another domain. You never know what can get you blacklisted so best to keep customer facing part separate from main domain.
I cannot be more thankful to all the people who replied and offered suggestions. You guys rock!
P.S. In case you guys still seeing the red screen of death, please let me know.
Yes this is 100% correct and I was thinking the same. The homepage, test storage and external script cannot share the domain. I have already started making these changes.
Yes you are correct they can download it too. After thinking about it for the last 4 hours that is all i can think off caused the problem. I have nothing which can be called deceptive text on any of my site otherwise.
I will probably delete files after 2 mins instead of 24 hours.
Another option is I ask for credit card details before I let them try the demo. This can get rid of letting anyone misusing the demo features.
Just as a point, I wouldn’t give you credit card details to try a demo. I don’t think many people would - hard enough to get people to give them for a trial, nevermind to try uploading a file.
This is so strange. Unfortunately I can't find any security issue on the server or any files that caused this.
Here is a screenshot of webmaster tools(1). The pages it lists are html pages and I've checked the source code and there are no script or anything on them.
Also the virustotal site says 'base64-embedded'. Those are just svg images I've embedded in the html to reduce the number of requests. That can't be a trigger right?
We don't offer any hosting. The demo on our website is way for people to actually see how the uploader will look in their own apps. Most companies like ours offer similar demos to their users too.
Like web push notifications and popups are two really useful features but the amount of abuse they have had to endure is amazing. Every shitty site from newspapers to reddit to facebook must show a dark screen and ask me to subscribe to web notifications before i can see anything.
Then there are hidden APIs for which no permission is needed, like trapping of the back button (where a site gains access to my browser's back button and won't let you go back) and page close button (where it shows a popup asking you to confirm you want to leave).