Since yesterday, one of our Matomo installations (Version 4.12.3, no special plugins) was marked as unsafe by Google’s transparency report. The reason given reads:
This site is unsafe
The site stats.example.net contains harmful content, including pages that:
Try to trick visitors into sharing personal info or downloading software
Yeah well, I do not agree that we “trick” visitors into something, but to collect “personal info” is, to a certain degree, the intention behind running Matomo, obviously.
I added the installation to the Google Search Console now because I thought that there will be detailed information available there. Unfortunately, the same generic message is shown. At this time, I just requested a review and wrote them in the comment that we’re not aware of any wrongdoing.
I run some dozens more Matomo installation where I did not run into this problem so far. Has anyone else encountered such issues, or can someone shed more light on the inner workings of Google’s safe browsing technology, so we can assess countermeasures?
Maybe it’s so obvious that you didn’t mention it, but have you examined the webspace thoroughly? Malware infections do happen, and they might not always be in obvious ways. You might have some unwanted “guests” on your webspace. The infection doesn’t have to originate within your Matomo install, once a threat actor gets access to your webspace, they will usually spread anywhere they can, regardless.
Is there anything else that is hosted at “stats.example.net”? Is this a shared server? Do you manage it directly? Is it host on shared hosting? Can you check on the HTTP logs if there is unknown (and suspicious) hits other that the ones of Matomo?
I failed to mention that, but yes, I checked everything carefully, and I’m pretty certain that nothing malicious is going on.
No, the hostname is used solely for this Matomo instance. It is a shared server with a handful of other Matomo installations. I do manage the complete system, which uses the same stack as thousands of other PHP websites we host. The respective shared instances are tied down pretty close, and we monitor everything carefully, so I doubt that there could be some interference.
I also checked the logs again and did not find anything suspicious. As of know, it still looks to me as if the unsafe rating were given solely on the grounds of us using Matomo.
After submitting a reconsideration request to Google, the listing was removed manually. We did not receive any feedback, so we think the site was marked accidentally.
Same here. A day after the matomo installation was setup (so I am pretty sure we did not get hacked within that timeframe) on it’s own subdomain matomo.[ourdomain].com, the whole toplevel domain was blocked. We reported all sites and other domains like staging.[ourdomain].com or cms.[ourdomain].com stopped showing the red screen with the warning “deceptive site ahead”.
Still Firefox, who is using googles list of malicious pages, blocks any login requests. The network tab says “Phishing”. One can disable this feature in the settings, but still this is very annoying.
Even matomo.[ourdomain].com is clear and green. Only matomo.[ourdomain].com/index.php is still listed.
This site is unsafe
The site matomo.[ourdomain].com/index.php contains harmful content, including pages that:
Try to trick visitors into sharing personal info or downloading software
When checking the toplevel domain directly the report says:
Some pages on this site are unsafe
Search console gives a generic message as well and we don’t know what we could do aside from uninstalling matomo completely.
This can’t be that google is kind of sabotaging its competition…!
If anybody has further ideas, they would be very welcome!
Just had this same thing.
New server. It had only been tracking visits for 30mins, then went red.
Removed tracking code, and the tracked sites were fine, but the site hoisting Matomo still red. Have submitted report.
Out of interest, was anyone else running the Google analytics import plugin at the time?
I noticed on the report in search console. It listed the root domain, but also matomo/index.php?module=GoogleAnalyticsImporter&action=processAuthCode.
From reading around, lots of people have had similar issue running apps with login pages.
Has anyone tried putting the whole install behind a firewall, restricting access to all but your own ip, but allowing the api through?