Advisory: Open redirect on


An open redirect is operating at


Google’s main website provides a subsite for displaying mobile-optimized pages published using a special subset of HTML called AMP. While this works for mobile devices, for non-mobile devices, this redirects to the original site, thus resulting in an open redirect. The subsite operates at the following URL:

where XXXX is the URL of the site. Here is an example of a legit URL — in mobile browsers this would display the actual article (this can simulated using Chrome’s developer tools):

HOWEVER, on non-mobile devices this would redirect to:

Because the vendor accepts any site without whitelist, this can be used as an open redirect. Additionally, since this is hosted on the same main domain as the search engine, it can in theory be used to drive XSS or other similar attacks, although this is mitigated by the fact that AMP currently does not allow Javascript.

Vendor Response

The vendor communicated that they do not consider open redirects to be a security issue



Discovered and written by Yakov Shafranovich.


2016–04–07: Vendor notified
2016–04–07: Vendor response
2016–04–11: Public disclosure

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.