Malware in scripttag of App

Highlighted
Shopify Partner
21 1 3

Hi, 

 

This is Muhammad Asfar. My question is about google ads malware detection in scripttag file.

 

I have developed an app and app functionality working on the store by app scripttag. 

 

Now I am facing issues due to scripttag file. Google has detected malware in the JS/jQuery scripttag code and ads disapproved due to it and I have checked my app scripttag file did not find anything to resolve this issue,

My question is 

Is there any guide to write scripttag file to encounter this issue?

Please share your views if you are facing this issue or resolved it.

Thanks in advance

0 Likes
Highlighted
Shopify Partner
1777 211 370

There is nothing special about Shopify scripttags and there are no guidelines on them. Most probably it loads some suspicious (to Google) libraries or doing some manipulation that Google considers "harmful". Do you get any details from Google on what specifically is being detected as harmful?

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
1 Like
Highlighted
Shopify Partner
21 1 3

@Visely-Team thanks for replying on this thread.

On button click app is checking out product quantity conditions and if conditions fail then the app will show message modal.

Below is a detail that one app client get from google.

Why are your Ads disapproved?


Our latest scan from your site - came back, and still detects Malware/links that are potentially harmful to you and to the site visitors. It seems that your site (landing page) redirects users to malicious links OR triggered when clicked. Below are the links that we’ve detected:

 

0 Likes
Highlighted
Excursionist
39 0 24

The bad news is that this seems to be a recent problem affecting multiple apps.  See this thread on google ads support.

 

As outlined in the linked thread we did as many malware scans, security audits, and devtool scans as we could and everything turns up just fine. 

 

Our process is as follows

- we add some code to the theme that loads our script
- From within our script we check the version of jQuery and load it conditionally as per Shopify’s instructions.
- Due to some cross-origin issues we host jQuery on a proxy route so the domain where jquery is located will match the store’s url. We had cross-origin issues loading scripts from within our script and this solved it.
- This worked great for 2 years on 1000s of stores until a few days ago.

 

Based on the linked thread this seems to be happening with script tags, cross-origin, and same-origin scripts. 

 

@Shopify can you provide some guidance or insight into this??

1 Like
Highlighted

I have the same problem. And only thing our script is doing to change placeholder text of search input bar every second. 

And one of the customers added 1 start review and I can't get any new installs for my app. This is a really sad situation.

https://apps.shopify.com/partners/craftshift
0 Likes
Highlighted

@movsumovis your app relatively new and your scripts are being served from a new domain?
It might be that your scripts started appearing in too many stores too fast, as described in this medium post.
Anyway, make sure to contact Google Ads support team and ask them about the reason for this.

0 Likes
Highlighted

@Matt_Goodwinwhen this happened to your app, did you change the domain from which you are serving your script tags?
Or did you make any other bigger changes to your app and the system overall?

0 Likes
Highlighted

Thanks a lot for sharing this. Article is great but I think Shopify App team should discuss this topic with the Google otherwise there is no sustainable soultion.

https://apps.shopify.com/partners/craftshift
0 Likes
Highlighted
Excursionist
39 0 24

@SealSubs- We didn't change the domain serving script tags, the only thing we tried was doing an audit of our headers to make sure we were sending everything we needed to make google comfortable.  It was a while ago, but we added a proper CSP, made sure our 3rd party scripts were up to date, and made sure other security headers were looking good.

One thing to note is that this seems to have started a week or two after we added an additional domain to serve our scripts.  Perhaps google thought this was suspicious?  Honestly it just sort of fixed itself after a few days.

I did hear back directly from someone at Shopify about this who said (jquery was one of the scripts triggering the warning):

Hey Matt,

Weird, both of those files look fine. Sometimes we see jQuery files hijacked, but in this case it's identical with v3.4.1 from jQuery's CDN. I'm not sure there's much we can do from this end.

Some thing you might like to try:
- Add integrity and crossorigin attributes to the script tags.
- Keep in mind most themes have jQuery loaded (including carolina-lifestyle). You might be able to avoid the additional request by wrapping it in a jQuery check.

0 Likes
Highlighted

@Matt_Goodwin  I think that this additional domain was the cause of the issue. It seems that Google gets very suspicious when a new script from a new domain appears on too many websites too fast, as mentioned here. I am glad that the issue got resolved in a few days, because from our experience, this can take weeks to resolve with Google.

0 Likes