Web3 browser blocking content

Approximately a month ago, community member Embellished Tangible Darklingbeetle mentioned that browsing https://audius.co/ in the Web3 browser of the Status mobile app is not permitted, and causes the following error message to appear:

This site is blocked

We detected potential malicious activity from this address. To protect you and your wallet, we’re preventing further navigation.

If you think this is an error, let us know in the #status public chat.

I tested this in the following browsers on my iPhone, and was unable to reproduce the error.

  • Brave
  • Chrome
  • Coinbase Wallet
  • DuckDuckGo
  • Edge
  • Firefox
  • Onion
  • Opera Touch
  • Safari
  • SnowHaze
  • Trust Wallet

This leads me to believe that the Web3 browser in Status is detecting what it considers to be malicious behavior on the fly, or Status maintains some sort of URL blacklist which I’m concerned may be private (and thus would be in conflict with principle V, transparency). If it’s leveraging a third-party list, no other Web browser I could find is using it.

I raised this issue in the #support public chat in the Status app, but haven’t heard anything back yet… so I’m creating this thread to track updates. My most pressing concern about this behavior is that users can’t bypass the error/warning, effectively censoring the site in violation of principle II (censorship resistance). I’m unaware of any other URLs which trigger this behavior, and would appreciate hearing from anyone who is aware of any.

CC: @petty

image

2 Likes

hi @Chris Status uses this library https://github.com/MetaMask/eth-phishing-detect to detect phishing urls, i’ve created feature request https://github.com/status-im/status-react/issues/10811

1 Like

Thanks so much for the library information and for opening an issue for this, @andrey. :slight_smile: I visited https://metamask.github.io/eth-phishing-detect/ and submitted audius.co and https://audius.co/ and similar variations to it, and they return this message:

This domain is not blocked! No problem here.

This makes me wonder if the library is working as intended, or if the Status mobile app includes an older version. The list of domains that it appears to reference is at the URL below (though I don’t know if it checks internally or externally for it), and audius.co is in the “whitelist” section of the JSON:

I verified that etherclassicwallet.com (from the “blacklist” section of the JSON) generates the same error in the Web3 browser in the Status mobile app. More confusingly, however… I entered a number of other domains from the “whitelist” section such as auctia.io and crypto.games, and many (but not all!) of them generated the “site is blocked” error in the Web3 browser in the Status mobile app.

Ah, the eth-phishing-detect library used by Status is simply out of date. What a difference an informed search makes. :slight_smile:

I also found the original pull request for status-react issue 5583 (stronger security checks in browser).

yeah npm library was updated last time 2 months ago, and “audius.co” still not in the latest npm package, dunno if we have to use the latest master instead or have our own list or do not have any lists at all? @petty @hester @andre

1 Like

imo best option would be to use latest master and change text of the message and also give an option to continue anyway if user wants

2 Likes

:point_up_2::100: This sounds like the best option to me. We for sure don’t want to block, but we do want to inform from a security perspective. I’d love to know the criteria for the blacklist. If they are established, measurable security criteria, it makes sense to use it. If there are any arbitrary criteria we might want to look at alternatives like user generated flags

@0kok0k any thoughts on managing domain security checks?

1 Like

Also @Chris thanks for investigating this in detail!

1 Like