Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Stephen EasyCrypto on April 10, 2021, 10:32:09 AM

Title: False positive on legitimate site is blocking our customers from logging in
Post by: Stephen EasyCrypto on April 10, 2021, 10:32:09 AM

Our website's login page (easycrypto.ai (https://easycrypto.ai)) is blocked by Avast Web Shield as "URL:Phishing". This is incorrect. This is our website for customers to login through and is not a phishing site.

We have reported this via the Avast false positive form (https://www.avast.com/false-positive-file-form.php) over 12 hours ago now however it is still blocked.

(https://files.obvi.us/stephen/202104/avast-false-positive.png)

VirusTotal reports perfect scores: nothing wrong here!
https://www.virustotal.com/gui/url/bd0aa6784b1eea572dd2252b4b4d48e5037f6fd5586a79904cff2d5ac3f90202/detection

urlscan io also reports perfect scores: nothing wrong here!
https://urlscan.io/result/846e83da-2cc5-4d11-a316-d1f80f6bad9b/

We have also gone further to confirm that there isn't any MITM or redirection attacks happening against our customers.

Now we have taken to emailing customers a form letter explaining how to disable their use of Avast software and pinpointing Avast as the problem.

Needless to say, this is also a large financial loss for us to have our site unavailable for an entire day. This loss has been entirely caused by your incorrect classification of our login page. I will need a proper RCA for how this site came to be blocked.

Stephen

Title: Re: False positive on legitimate site is blocking our customers from logging in
Post by: Asyn on April 10, 2021, 10:44:45 AM

Quote from: Stephen EasyCrypto on April 10, 2021, 10:32:09 AM

We have reported this via the Avast false positive form (https://www.avast.com/false-positive-file-form.php) over 12 hours ago now however it is still blocked.

Hi Stephen, you should get a reply within 48 hours.

Title: Re: False positive on legitimate site is blocking our customers from logging in
Post by: polonus on April 10, 2021, 11:40:39 AM

The "page not found" should be taken up with CloudFlare's.
This is being blocked -> -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

polonus

Title: Re: False positive on legitimate site is blocking our customers from logging in
Post by: polonus on April 10, 2021, 11:54:45 AM

The "page not found" should be taken up with CloudFlare's.
This is being blocked -> -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

See insecure on same IP: -http://mypubid.com/ for instance.

Quote

Outdated JavaScript libraries detected. jquery 3.4.1
medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11022
medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11023

reported by retire.js
1   missing-content-security-policy
No Content Security Policy configured for this site.

source: DEVCON info.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: False positive on legitimate site is blocking our customers from logging in
Post by: Stephen EasyCrypto on April 11, 2021, 08:13:15 AM

Quote from: Asyn on April 10, 2021, 10:44:45 AM

Quote from: Stephen EasyCrypto on April 10, 2021, 10:32:09 AM

We have reported this via the Avast false positive form (https://www.avast.com/false-positive-file-form.php) over 12 hours ago now however it is still blocked.

Hi Stephen, you should get a reply within 48 hours.

Hi Asyn, thanks for your reply.

Title: Re: False positive on legitimate site is blocking our customers from logging in
Post by: Stephen EasyCrypto on April 11, 2021, 08:15:08 AM

Quote from: polonus on April 10, 2021, 11:40:39 AM

The "page not found" should be taken up with CloudFlare's.
This is being blocked -> -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

polonus

From which URL do you see that included?

Title: Re: False positive on legitimate site is blocking our customers from logging in
Post by: polonus on April 11, 2021, 12:57:46 PM

Hi Stephen EasyCrypto,

That is included on -https://easycrypto.ai/auth  comes up with a Page not found
I'm sorry, the page you were looking for does not exist.

Quote

SRC report: HTML
-easycrypto.ai/
18,345 bytes, 255 nodes

Javascript 5   (external 5, inline 0)
-www.google-analytics.com/​analytics.js
48,759 bytes

-d3uvwl4wtkgzo1.cloudfront.net/​e8af8301-45e2-41c6-9212-9421ce1b1dc7.js
-easycrypto.ai/js/​chunk-vendors.9dd1f715.js
-easycrypto.ai/js/​app.0f4ad939.js
-static.cloudflareinsights.com/​beacon.min.js
CSS 5   (external 4, inline 1)
INLINE: @font-face{font-family:'Axiforma-Black';src:url(/assets/webfonts/Axiforma-Black/
808 bytes INJECTED

-easycrypto.ai/assets/css/​ec-2.10.css
INJECTED

-easycrypto.ai/assets/fontawesome/css/​all.min.css
INJECTED

-easycrypto.ai/css/​chunk-vendors.6c0b1195.css
INJECTED

-easycrypto.ai/css/​app.ab40635f.css
INJECTED

We are still waiting for a final verdict from an avast team member for these apparent FP PHISHING findings
on various CloudFlare driven websites. Yours is one of them.
I PM-ed avast threat lab, but probably they will not reply earlier than over the week-end,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)