Potentially Suspicious code. Google marked site as phishing

Arturitu12 · March 1, 2023, 4:40pm

Describe the issue/error/question

Hello today’s morning my root domain and all of the subdomains was taken off google and marked as deceptive and dangerous because of phishing danger. One of the very few changes I made recently was updating n8n self-hosted (docker). I already rejected other possibilities. Only clue is that one of free scanners I use detected “Potentially Suspicious files” on my n8n site. This is my very only clue at this moment. Can somebody tell is this normal? I’ll keep searching but i just want to be sure. Details below.

Part of code marked as “Potentially Suspicious”:

[[owAe(Oe);returnr.facade=t,ve(t,Se,r),r},ne=function(t){returnge(t,Se)?t[Se]:{}},oe=function(t){returnge(t,Se)}}varRe={set:ee,get:ne,has:oe,enforce:function(t){returnoe(t)?ne(t):ee(t,{})},getterFor:function(t){returnfunction(r){vare;if(!he(r)||(e=ne(r)).type!==t)throwAe("Incompatiblereceiver,"+t+"required");returne}}},Ie=O,_e=o,je=B,Pe=Ft,xe=i,Ce=Zr.CONFIGURABLE,Me=ie,Le=Re.enforce,De=Re.get,Ne=String,ke=Object.defineProperty,Fe=Ie("".slice),Ue=Ie("".replace),We=Ie([].join),Be=xe%26%26!_e((function(){return8!==k]]

What is the error message (if any)?

not applicable

Please share the workflow

not applicable

Share the output returned by the last node

not applicable

Information on your n8n setup

n8n version: 0.217.2
Database you’re using (default: SQLite):MariaDB
**Running n8n with the execution process [own(default), main]: default **
Running n8n via [Docker, npm, n8n.cloud, desktop app]: Docker

Jon · March 1, 2023, 5:24pm

Hey @Arturitu12,

Welcome to the community

That is a bit unusual but shouldn’t be too much of an issue, While that file exists on my n8n install my site has not been removed

It does look like the scan is saying ‘Potentially Suspicious’ as well, I have have a few of those Google issues in the past, Does your main site use Wordpress at all?

matthiasallred · March 6, 2023, 9:38pm

I am having the same issue.

In Search Console, I have a security issue stating “These pages attempt to trick users into doing something dangerous, such as installing unwanted software or revealing personal information.”

Sample URLs:

https://n8n.belmontdigitalmarketing.com/
https://n8n.belmontdigitalmarketing.com/signin?redirect=/

I recently updated to 0.218.0. I have also recently added YouTube OAth2 API credentials. Not sure what’s causing the issue.

I did Request a Review in Search Console. I’ll post the results.

Jon · March 7, 2023, 8:31am

Hey @matthiasallred,

Thanks for this I have raised it internally to see if anyone has any thoughts.

matthiasallred · March 7, 2023, 2:43pm

As of this morning (less than 24 hours from submitting my request in Search Console), I no longer have any issues and the Security Warning in Search Console is gone.

mvandyk · March 17, 2023, 7:20am

I am experiencing the same today I am on version 217.2

Have posted a review to Google search as well.

Jon · March 17, 2023, 7:20am

Thanks for the report I have let the team internally know.

luizeof · March 22, 2023, 7:22pm

@Jon same here:

0101binary0101 · March 23, 2023, 4:00pm

I had this a couple of days ago on my n8n instances but also some other non n8n instances, It cleared after a day.

Jon · March 24, 2023, 3:58am

@luizeof you will need to report the site as safe, we are looking into what we can do though.

Maksim_Golivkin · March 24, 2023, 4:13am

Our site with n8n subdomain was flagged as deceptive as well.

minijohn · March 26, 2023, 4:23pm

Happened to us as well a few days ago, verifying the domain in search console and through the “error notification” request a review with a note did the trick

asuhan · March 27, 2023, 10:14am

Good afternoon. I have Cloudron installed on my VPS and two applications under it - n8n and NocoDB. The page with n8n constantly shows the message Beware of the fake site!
Visiting n8ncloudron.***.ru may result in malware installation or theft of personal information (e.g. passwords, phone numbers and bank card data). With NocoDB there are no such problems. Several times I’ve confirmed via Google form that the site is safe, but no result.

Jon · March 27, 2023, 10:47am

Hey @asuhan,

Sadly you will have to wait for Google to work their magic, Once flagged nothing we change will resolve that so it would need to wait for Google to allow it again.

asuhan · March 27, 2023, 11:44am

Thank you, Jon. It’s not a great idea that one private corporation decides what’s good and what’s not.

PvUtrix · April 3, 2023, 10:23am

I’m seeing this as well, when trying to view executions.
Please take measures to fix this, I’m running the latest version Version 0.221.2

Jon · April 3, 2023, 10:33am

Hey @PvUtrix,

We have put some changes in 0.222.0 which should help but we will need to wait a bit to see if they have worked as the flagging by Google might not be instant. We should know in a month or so if everything is better.

Sadly at the moment 0.222.0 is not available but 0.222.1 should be available later today, Even with the release though the site will still need to be manually marked as safe.

hugool · April 3, 2023, 4:40pm

Hey @matthiasallred, what did you sad to Google in your Review text? Do you have any text example?

nduchon · April 5, 2023, 12:12pm

Same thing here on version 0.212.1

Our n8n instance got falsely flagged a first time a few weeks ago on 16/03/23, we request a review that unblocked it. It got flagged a second time on 04/03/23 and this time Google brought the entire domain down. We did a complete shutdown of the n8n instance and removed the subdomain in hope of speeding up Google’s fix.

MutedJam · April 6, 2023, 3:41pm

Hi all, we’ve made some changes which means that key parts of n8n won’t load until you’re logged in. We hope this prevents Google from thinking your n8n instances are behaving suspicious in any way.

Could you make sure you update to [email protected] as soon as you get the chance? You would still need to ask Google for the review though in order to get rid of the warning.