Ask HN: Our script was flagged as malicious by Google Ads, help

[msf83]

Hello fellow HNers!

Our startup does attribution: user clicked ad, user looked at these 4 pages, user filled out form, receptionist qualified lead, customer bought, you got ROI. On the customer's website, it behaves like a combo of Google Analytics, CallRail and Hubspot.

And then Google Ads scanner flagged our script as "malicious" software and shut down all the ads, of all the businesses, us and our friends, that have it on their site. YIKES. Company killer if we can't get this fixed.

We went to customer support, they said the script is malicious and our only option is to take it down on our site. No can do, this is our startup.

Here's what it does: * It tracks user activity page by page and even movement, throughout the session, after they come from any source, one of which is Google ads * Duplicates Callrail, using number swapping and custom phone numbers for each session, so we can attribute phone calls. * Provide an API that clients can use to wrap up their contact form submissions into a JSON object and do an AJAX call, allowing us to intercept the inquiries on their site. (Customers must implement it specifically) * Embedded in the script are the following: fingerprint.js, a Call-Rail style number swapping script (custom), and jQuery. That's pretty much it.

Interestingly, we haven't run afoul of the main scanner (Search Console Security Issues), it's just the ad scanner (YOur Google Ads are disapproved).

Does anyone have any insight into A) which part of this they think is the problem, with emphasis on any direct experience you have or B) how we can get details from the technical team on what the issue is ?

p.s. - For various reasons owing to the large audience here and people we know, we can't disclose the company names or URLs here. I'm happy to sidebar with specific people though if you're willing to help.

[nana_gb]

Browser fingerprinting is generally frowned upon by many major browser vendors and ad blockers.

It also goes against user’s rights for privacy and tracking prevention that they have control over.

I wouldn’t be surprised if google ads classifies fingerprinting as malicious.

Remove it from the bundle and try again.

Additionally, the ability to intercept form submissions can also be seen as malicious.

Especially if it’s a 3rd party script doing the interception and making AJAX calls to another domain.

This is basically what malicious scripts do.

HTH I have been building adtech for Google Ads etc for 15+ years. Happy to talk more if needed. But I’m pretty sure the two changes above will fix it.

[msf83]

Do you know if I fix it, how to trigger a rescan of the offending URL, not the advertisers' page? I'm trying to figure out what the lifecycle and stickiness of a flagged URL is.

Example: www.advertiser.com contains -> a.startup.com/script.js

I'm considering this strategy: * drop fingerprinting and form submission like you suggest * resubmit advertiser.com's ads for a rescan, but if theyve got startup.com's url flagged, will they rescan that URL too? * problem: how do I know how to long wait to see if it worked?

My next move would be: * setting up a new subdomain, new filename (like b.startup.com/newscript.js)

Thoughts?

[nana_gb]

The last time this happened with a client, fixing the script was good enough to resolve the issue with Google after resubmission.

But that may have changed.

[msf83]

Really appreciate your insight thank you this helps

[dylz]

The way you describe your script literally makes it sound like malicious software.

Do you webpack/rollup the entire thing together, or is fingerprint/jquery included as-is?

[msf83]

It's all packed up into one script together using a bundler.