False positive for via.hypothes.is

[Hypothesis]

Hi there,

It looks like MWB Browser Guard is improperly listing our our proxy server: via.hypothes.is as a source for phishing. I'm hoping that you can quickly remove it from your blocklist.

Note that Hypothesis does not host any content through our proxy service. Additionally, we have robust controls to detect and respond to improper and malicious use, including real-time content analysis, automated and manual blocklist controls, and mechanisms for reporting improper content and other Terms of Service violations.

For further information we encourage you to visit the following pages:

About Hypothesis proxy service: https://web.hypothes.is/help/what-is-the-via-proxy/
About Hypothesis: https://web.hypothes.is/about/
Hypothesis Terms of Service: https://web.hypothes.is/terms-of-service/

Please let us know if you have any additional questions or concerns.

Many thanks,

Hypothesis Support Team

[gonzo]

While Browser Guard is showing the block to you, it is a block from our Malwarebytes Premium rules.  I have requested researchers to investigate further.  If they remove the block, Browser Guard should not have issues with the site UNLESS it gets a reputation block.  I cannot predict that in advance.  Please allow up to 4 hours from now, then try using the site again as you normally do.  If you encounter any issues at that time, please let us know.

[gonzo]

Our researchers have looked at it again, and found strong reasons to not remove the phishing block.  While you can add an exclusion on your end, it is probably best for your team to investigate further.  I am attaching a screenshot I got from VirusTotal.  The "red" indicators are showing malware detections.  Many of them are detections from a large number of vendors, and many are current.  Your proxy itself has a single detection, but acts as a gateway to numerous other infected machines.

[JonBetts]

Hi Michael,

My name is Jon Betts and I'm one of the developers at Hypothesis.

Our main product lets people add annotations to web-pages. This is usually done with a Chrome plugin that loads our client, but some users can't use it, so we also provide the site "via.hypothes.is" (flagged here) which you can put any other site into it will add our client to let you annotate it.

I can see how you could abuse the service to "wash" a URL to make it appear to come from us to try and evade URL blocklists, like you can with Google Translate (https://translate.google.com/translate?sl=auto&tl=es&u=http://example.com).

We started blocking the URL's that were reported to us, but it's pretty clear that this kind of "whack-a-mole" solution isn't really going to cut it. Our current plan is to use Google Web Risk (https://cloud.google.com/web-risk/) to vet the URLs before they are returned to the user, but it's taking a while to get signed up. In the meantime (this weekend) we started using the URL list provided by URLHaus (https://urlhaus.abuse.ch/). Any URL listed there over about 45 minutes ago should be blocked by our service, which you can try now (but obviously at your own risk). We are having some trouble with updates at the moment, so it's not always the latest.

So I'd say as of this weekend we're definitely doing a better job, but it's not good enough and it doesn't solve the issue here.

I had a look at the graphing tool you mentioned provided by Virus Total and it seemed to be listing two categories of bad content:

• "Files containing the given IP address on it's strings"
• "Files presenting any sort of traffic to the given address"

So this looks like some malware attacks could be using us to report home perhaps? I'm not a security expert myself.

The problem I see with this is, even if we have successfully blocked the content as they attempt to communicate back, presumably these existing files still contain references to us, and so this graph will show connections between our service and these various malicious files. If this graph forms a large part of the basis for listing us, there doesn't seem to be a way I can think of to fix this. For example I've added a graph of https://translate.google.com/, which shows a very similar pattern, but presumably isn't actually attacking users. Are there other criteria we can work on?

I suppose I'd be very grateful for any suggestions you could give for practical next steps for us.

Our current plan is to:

• Integrate URL blocking based on URLHaus (a bit rough and ready right now, but done)
• Integrate Google Web Risk info on top (early stages)
• Maybe talk to CRDF to include their data too if they'd be happy with that?

 
The last idea I had was to stop users from being able to download files through the service entirely. I can't think of a good reason you'd need to for web annotation, and presumably this would cut off a lot of potential malicious uses in one go. That would be quite technically difficult for us to implement though (for boring reasons), but I think we should try.

Anyway, I'm sorry about all this, and would really appreciate any ideas you might have.

Thanks,
Jon

[thisisu]

4 hours ago, JonBetts said:

Our current plan is to:

• Integrate URL blocking based on URLHaus (a bit rough and ready right now, but done)
• Integrate Google Web Risk info on top (early stages)
• Maybe talk to CRDF to include their data too if they'd be happy with that?

 
The last idea I had was to stop users from being able to download files through the service entirely. I can't think of a good reason you'd need to for web annotation, and presumably this would cut off a lot of potential malicious uses in one go. That would be quite technically difficult for us to implement though (for boring reasons), but I think we should try.

Hello,

After getting a better understanding of what the Hypothesis Proxy Service is, we are removing the block from MBAM3/4 and will only block via full domain blocks using Browser Guard from here on out. Similar to how we handle blocks that are abused by URL shorteners. Thank you for blocking the URLs that were reported to you and for bringing this to our attention. I think your other plans/ideas are a solid start as well. Sorry to have inconvenienced your domain. The unblock will be reflected in the next database update.

Regards.

[JonBetts]

Hi,

Thanks very much, that would be a great. It's been a sleepless few weeks trying to keep on top of all of this.

If there is anything else that comes up, please feel free to contact me (I assume you can see my details from my forum user?). If you get any more reports of malicious URLs or activity getting past our system it would really help us out if you could pass them on at: https://web.hypothes.is/contact/.

Thanks,
Jon