Open source tool was incorrectly labeled as a threat by Chrome’s Safe Browsing program last week
The Nmap project has been wrongfully labeled as a cybersecurity “threat” by Google Chrome’s Safe Browsing service.
The incident is the latest example of legitimate security tools becoming categorized in the same way as malware, phishing code, or malicious exploits.
Network Mapper (Nmap) is an open source scanner for network discovery and security audits. The award-winning tool has also been featured in numerous movies.
On January 21, the Nmap team said in a tweet that Google Chrome had been warning users that a decade-old version of Ncat software was a ‘harmful’ program.
To make matters worse, the entire directory was blocked, containing 458 other files – including the latest Nmap release.
A week prior, the browser also blocked 24-year-old source code files in the project’s historical archive.
Speaking to The Daily Swig, the developer and maintainer of Nmap, Gordon ‘Fyodor’ Lyon said that the cases highlight Google “wield[ing] such vast power so carelessly […] especially since their warning message tells user our site is ‘dangerous’ and ‘contains harmful programs’ when it is really Google’s own errors”.
When the block was discovered, Lyon first set out to understand what file had been flagged and why.
This can be a time consuming and complicated process as it requires specific DNS TXT records to be added to the domain in question to prove ownership before the tech giant will provide further information.
Lyon then had to decide how to respond and whether or not to attempt to appeal the decision while also inundated with meetings and his existing workload.
There were two methods – remove a file that was still “useful to many people”, or try to convince Google that its system incorrectly flagged a legitimate cybersecurity resource as malware.
In the end, the developer says, he simply “got mad” and tweeted out his frustration to the masses.
The tweet was fired to 130,000 followers and an associate at Google Security spotted the message. The issue was then personally escalated, although the developer added that others may have seen the tweet and helped, too.
It took less than an hour for the warning to be removed after the tweet was published.
“We shouldn’t have to do this and it may have only worked for us due to luck or popularity,” Lyon commented. “Other organizations might have a harder time.”
Google’s Safe Browsing program was launched in 2007 to help protect users from malicious content
Security pinch points
The Nmap warning is the latest in a string of mislabeling incidents by Google Safe Browsing. While the program is intended to alert users to dangerous websites and downloads, others have noted that the tech giant’s algorithms have the power to severely impact innocent businesses and developers.
Stök told us that to be a YouTube partner you must adhere to the platform’s policies, and due to a “global misunderstanding in the rhetoric that hackers = cybercriminals”, the YouTube ad business and cybersecurity content can clash.
It is possible to avoid certain trigger words or phrases to try and stay clear of algorithms that can prompt takedowns and to stay ad-worthy, but the industry is in a “grey zone [and] sh*t happens”, according to the content creator.
“Even though it sucks that channels get taken down and content gets flagged, it’s the game we play,” Stök said.
“And to be honest, there really isn’t any true alternative if you want to be able to actually live on your craft and get paid for what you do, without having to charge the end user. There is no free lunch.”
On the vendor side, Google Chrome has also incorrectly flagged PortSwigger Web Security’s Burp Suite apps in the BApp Store on more than one occasion.
“We have processes in place to monitor how our website is performing and take steps to rectify the errors in mislabeling via Chrome or Google Search as they arise,” commented Kieron Hughes, director of organic performance at PortSwigger*.
The Daily Swig has reached out to Google but has not heard back at the time of publication.
*PortSwigger is the Daily Swig’s parent company