We've been having this problem for the last month, and it is getting really old. :( I'd love any help or advice.
We have a Facebook app that provides users a simple way to make tabs for pages. Some malicious actors were using our app to host redirects - which we have now blocked. As far as we can tell, there is not any more redirect abuse. Okay, here's where it gets weird.
We've got 12 "apps", each of which has identical functionality but different paths on our domain. For example:
http://raw2.statichtmlapp.com/tab/1/... http://raw2.statichtmlapp.com/tab/2/... http://raw2.statichtmlapp.com/tab/3/...
All urls beginning with the path /tab/2 are getting the warning, and all the other urls are fine. Gah.
We have read the documentation thoroughly about how to rectify this sort of thing, to no avail. https://developers.google.com/webmasters/hacked/docs/request_review suggests that we should use the webmaster console to request review for Malware or Spam, but our console says there is no problem with the domain.
We have submitted requests for review of phishing multiple times at http://www.google.com/safebrowsing/report_error/, but nothing happens.
I suspect that part of the issue may be an anti-abuse measure we have in place. The content in our app is only available when embedded inside Facebook, with a signed request that comes along with the iframe url from Facebook. So if a Google system attempts to directly craw urls that have been flagged, it will get either empty pages or errors. But we don't want to make the content available on the open internet for fear of phishing abuse (which is why we lock it down now), and we don't want to try to detect Google and just serve them the content, because that feels like something they would likely detect as suspicious and cause further flagging.
Any advice on what to do? It is incredibly frustrating to have a bunch of walls come slamming down like this, with very little we can do. Thank you so much for any help!
Aha! After a helpful reply on the Google Webmaster Central help forum, we got it cleared up. We needed to add the blocked url as a new site in the search console, not just the root domain. That made a security issue show up, and that enabled us to request a review, and finally get this cleared up.