Microsoft has removed a false positive from SmartScreen which caused some users to be served with a phishing warning when trying to make a purchase from the PayDelete site. The problem affected primarily those using the Microsoft Edge browser on Windows devices. The problem did not impact any other browsers that we know of.
Windows SmartScreen is a security feature that comes with Windows operating systems. It is intended to protect users from malicious websites, but it often targets sites that are just fine like ours. When a clean site is falsely labeled as malicious that is called a false positive. In this case Microsoft’s warning claimed that our site had “been reported as unsafe.” That warning leads us to believe that some disgruntled individual or group of individuals had falsely reported our site to Microsoft as unsafe. Often people that use PayDelete do so after trying unsuccessfully to get content removed from our partners’ websites without paying a fee. We think somebody was trying to harm our business by reporting our site as unsafe.
We immediately reported the error to Microsoft, but did not get a meaningful reply for many weeks and only then after reporting it many times. When you report a false positive to Microsoft the first thing they do is send you an email stating:
“We have received the information you provided and are currently reviewing it. If it is determined that the current designation is incorrect or no longer accurate the warning will be removed. We typically expect to take 24 hours for our investigation. During the investigation, you may not see changes to the status of your site. If the status of your site has not changed after 24 hours, please contact us with a reply to this message. Please do not change the subject when replying.”
– Microsoft
We received our first response from Microsoft on November 3, 2021 and noticed no change, so we replied to their email. Still nothing happened, so on the 5th we reported the site as clean again. We received the same generic response, no action after 24 hours, and sent a reply again. We then waited over 2 weeks for a response, but after receiving nothing we filed a third report with Microsoft on the 18th. We received the same generic response and responded to it after not noticing any changes after 24 hours. Finally on the 26th we received the following email from Microsoft:
After about 24 hours we were finally able to access our checkout page using Microsoft Edge without being blocked by SafeScreen. While we are thankful that Microsoft finally corrected the error, we are frustrated that it took so long. Our checkout page doesn’t collect any personal data whatsoever, so correcting the error should have been easy.
What Data Our Checkout Page Collects
Our checkout page only collects data from partner websites needed to identify the content which is the subject of the order (post id number, URL, partner number). Our system then creates an identification number which is saved in our database along with the content information. The checkout page itself displays the content information to the user along with a PayDelete button which users can click to confirm their order. When that button is clicked the user is taken to Authorize.net to enter their payment information.
Why Send Users to Authorize.net?
We send users to an Authorize.net hosted checkout page so that they don’t have to enter any personal information on our site. We don’t trust random websites that ask for our credit card numbers and neither should you. We do however trust one of the most popular online payment gateways which many customers should recognize. That way they know that they are giving their information to a trustworthy organization. An organization which will not share their credit card numbers with us or anyone else without a court order.
What Happens When Authorize.net Charges You?
When Authorize.net processes your payment they will inform our system when the transaction has been approved using what is known as a webhook. When our system receives the information it checks to make sure that the message did in fact originate from Authorize.net and is otherwise valid before updating the status of your order to paid. When the order status is updated to paid our system then notifies the partner website hosting the content via another webhook. When the partner’s system receives the notification it checks to make sure that the message did in fact originate from PayDelete.com and does in fact correspond to a valid paid purchase. When the authenticity of the purchase notification is confirmed the partner site runs the wp_trash_post function in WordPress to change the status of the content to trashed. At that point the content is no longer available on the partner website and the URL returns a 404 “not found” error status code.
The process of communicating between systems typically only takes at most a few seconds, so the removal often appears instantaneous to the user. Sometimes people might experience a lag of a few seconds that triggers the partner website’s success page to show that payment has not been made and the content is still live, but that notice also tells users to wait a few seconds before refreshing their browser because when they do it will show that the bill has been paid and the content has been trashed.
Conclusion
Microsoft needs to do a better job responding to reports of false positives. Our site was probably under a false phishing warning for at least a month. We can only guess how many potential customers didn’t do business with us because they were using Edge and SmartScreen served them with a false phishing warning instead of our checkout page. We were fortunate that this error only impacted Microsoft Edge browser on Windows machines because Edge has a market share of less than 5%.