Part three of this series will deal specifically with an important issue that had come up in part one: Some users, albeit a tiny percentage of overall users, were encountering a malware warning on pages where SocialCash ads are being served.
This is, of course, a BFD. As I mentioned in section one, while I was not going to assume that SocialCash was knowingly running any kind of malware, the mere appearance of impropriety can do irreparable damage to the reputation of both an application and the developers associated with it.
The back and forth on this is a little lengthy, but I thought it might be valuable for you to to see how this played out. The short version – after running some tests, they feel that the malware alerts are false alarms triggered by overly aggressive heuristic detection algorithms. They then went on to suggest that I might want to find a new ad network.
*blink*
So here’s the long version, starting from the very beginning…
Email from app user: Feb 1, 2009 11:05AM
I like the app or at least a lot of my friends do.
However, in the last two days my anti-virus has been flagging up a malicious link on your start page. It appears to be a script that, if allowed to run, will capture key strokes and other info. I re-checked using Norton anti-virus (I use Avira anti-virus normally) and it also flagged the same script.
Avira warns me that ” functionalities include – but are not limited to – downloading trojans, link to other infected pages, spy the user or spoof the content of a banking site. ”
Would you please check the page and remove this?
I immediately replied back to the user, asking if they could possibly provide any more information on what antivirus they’re running, whether it was the top ad or the bottom ad that triggered it (since I use SocialCash on top, SocialMedia on the bottom, and I needed to know whose ass to chew off), etc. They quickly replied:
Reply from app user: Feb 1, 2009 – 12:59PM
It happened in two different apps on FB who have the same ad server as you have at the top of your page – socialcash I think?
Okay, so it looked like SocialCash was potentially the issue. I sent an email to SocialCash at 2:03PM that same day, just moments after receiving the application user’s reply:
Email from me to SocialCash: Feb 1, 2009 – 2:03PM
I received this notification from one of our users today. After discussing this with him further, he says it was happening on two other apps that were being served by SocialCash. When I removed the SocialCash ad code and stuck only with SocialMedia, the alert went away.
This is absolutely unacceptable. I don’t know whether this was a legitimate threat or not, but even if it was erroneously triggering this warning, this type of thing could do serious damage to the reputation of this application and any other applications associated with my name.
I would like an explanation of what happened here.
Maybe I came off a little too strong – I don’t think so. Malware alerts are, as I mentioned, a BFD, and to find out about this from a user sucks.
SocialCash replied, over 24 hours later – an admittedly longer response time than I would have hoped for in a situation where users think my application has a virus.
Email from SocialCash to me: Feb 2, 2009 – 4:53PM
We would never serve intentionally serve anything infectious or damaging, so this is definitely news to us. What ad was it? I see the users information below, so we will sync up with our tech side to see what we can find out. I’m sorry that this has happened. The more information you’re able to pass on, the quicker we can identify the issue.
I replied back that I was asking for more information from the users:
Email from me to SocialCash: Feb 2, 2009 – 4:57PM
I wish I knew which ad it was – I’d have sent a screenshot and explanation. Problem is, I naturally had to yank the SocialCash ads, lest my app get a reputation for distributing malware – so unless the reporting party happens to remember what the ads is, the only way for me to reproduce it is to turn those ads back on, which I don’t want to do until the situation is resolved. I replied to him the day he emailed me [yesterday], asking if he could describe the ad, etc – but he hasn’t replied yet.
Days passed with no reply from SocialCash. I was hoping the issue was perhaps transient, so I decided to enable SocialCash ads again. Shortly afterwards, I received anotger malware complaint, this time from a totally different user. I sent another email to SocialCash, since I hadn’t heard from them.
Email from me to SocialCash: Feb 5, 2009 – 4:01PM
Any progress on this? I received another complaint today. We are going to lose users if this situation doesn’t get resolved quickly.
“everytime i click on to this add on my antivirus avira throws up a malware issue at least twice per page why is this are you infected???”
At this point, I reached out to some Windows users on Twitter. I created one page with only a SocialCash ad, and one page with only a SocialMedia ad, that way I could be 100% positive that SocialCash was the issue. I had 5 friends using Windows refresh each page upwards of 60 times, and their antivirus never triggered an alert. While I was relieved to know that most windows users were apparently not seeing this alert, it naturally made troubleshooting much harder.
Luckily, both of the reporting users had gotten back to me at this point, and both reported that the alert only popped up on the SocialCash page. SocialMedia was off the hook for sure. After doing a little more digging, I sent SocialCash an update with what I had found:
Email from me to SocialCash: Feb 5, 2009 – 5:33PM
It looks like both people who reported a problem were running Mozilla/5.0 (Windows; Windows NT 6.0;rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 – one with US-english as default language and one with en-GB as default language. Both reporting the problem with Avira, and one confirmed the same alert with Norton.
The next day, one of the Facebook application users was kind enough to email me back with more specifics and a screenshot of the alert they’re receiving. I forwarded this on to SocialCash:
Email from me to SocialCash: Feb 6, 2009 – 1:38PM
Here is more information – the best so far. Steven says its occurring on every page load of the SocialCash test page, and sometimes pops up several alerts on a single page load. See the attached screenshot of the virus alert.
Perhaps you should get in touch with Avira?
SocialCash replied later that day with their conclusion:
Email from SocialCash to me: Feb 6, 4:38PM
We’ve done some testing, and have confirmed that there is no malware inside of our advertisements. Please know that no other users or publishers have reported positive hits with antivirus software.
The alert is caused by Javascript compression being flagged as potentially malicious by heuristic detection algorithms. It’s a false positive that happens only when users enable heuristic detection in their anti-virus software. There are many frequently used script libraries available on the web that cause a similar false alerts to be thrown. We believe that the benefit of a much smaller download, and hence faster ad rendering and better performance, outweighs the smaller number of tech-savvy users who will surf the web with these controls enabled. Since we’ve confirmed that our advertisements do not contain malware, and because that this is the first report we’ve received (amongst billions of impressions), we feel that this is the right approach to take to provide maximum value to the largest population of our users.
Given that you have sophisticated users who are raising these concerns to you, the last thing we want is for your use of SocialCash to impact your user base. We don’t think there is a way to remove this behaviour from the subset of your users who see these errors. This all being said, it may make sense for you to discontinue the use of our advertisements if you think this will have a negative impact on your overall user population. We obviously take this type of feedback very seriously, and wanted to thank you for bringing this issue to our attention.
Please let us know if you would like any further information, and let us know your if you intend to continue to use our product.
This is the first report they have received, among billions of impressions? It seems statistically impossible that my application has received two reports of this problem, with only 100k monthly active users. Out of their billions of impresions, my puny 100k monthly active users make up only a tiny fraction of those impressions, so what are the the odds that not one but two of my users brought up a problem that no one else brought up.
The application is not one that appeals to particularly sophisticated people. It’s an absurdly simple application that lets people blow kises to each other – not exactly rocket surgery. The two users who reported it were clearly more savvy than an average user, which is probably why they actually contacted me about it, rather than freaking out and closing their browser window, convinced my application would steal their identity, email their grandmother all of their porn, make their ipod play only Jethro Tull and make their TV record “Gigli”. (Thanks, Weird Al!)
Conclusion
I’m glad SocialCash claims to take these reports very seriously, but deciding their advertisment loading time is more important than the reputation of my application is not acceptable to me. “We take this sort of thing very seriously, and we appreciate you reporting it to us so we could completely ignore it and keep doing what we’re doing.”
It would be different if something in their ad code was causing a weird display issue for users of certain browsers and operating systems. But this isn’t some flaky display quirk. This isn’t something harmless that no one will notice. People visiting my application think I am trying to do them harm. Even if the percentage of people experiencing this issue is very small, that message is not one I am willing to live with.
Maybe I’m being too hard on SocialCash – but I take my reputation seriously. It’s a shame they don’t. The impression I get from my email exchange is that I am a pain in the ass client to them, and not worth the hassle to them for the paltry 100k mau I bring to the table. At this point, they don’t seem to want my business, and I care more about my reputation than the $15 a day I make them from. So I’ll be exploring one of the alternate ad networks, replacing SocialCash with whichever seems to be the best. Stay tuned!