There is no denying the fact that Google’s AMP (or Accelerated Mobile Page) service has made browsing web pages on mobile devices relatively very easy. AMP has managed to drastically reduce the loading time of webpages, on smartphones and tablets, by allowing publishers to display ‘lightweight’ web pages, designed using AMP HTML, AMP JS Library, and Google AMP Cache. Integrating the AMP powered pages into the mobile search results, Google displays the faster loading pages in a carousel, distinguishing the results by the ‘thunderbolt’ icon as well as the AMP acronym. Even though Google AMP has managed to provide web pages at faster speeds, by quickly loading and rendering the web content to the users, recently the service has been hacked to target journalists, through phishing.
According to Salon, a hacker group, backed up by the Russian Government, is using a security flaw in the AMP service to exploit investigative journalists. If Salon reports are to be believed, Google had even noticed the vulnerability back in November last year, but till date has not been able to acknowledge and fix it completely. Shortly after its launch in 2015, AMP failed to impress some critics as they believed that the web URLs of AMP powered pages could be used to manipulate the credibility of a website, as all the URLs were prefixed by “google.com/amp” domain. They believed that this could be used as a tool for exploitation, as all the websites and their content got backed up by Google.
And this is what the Russian hacktivist group Fancy Bear used to exploit Aric Toler, a researcher and writer for the website Bellingcat, specializing in analyzing Russian media and the country’s relationship with far-right groups within Europe and America. Apart from Aric Toler, all those journalists who were found investigating about the Russian government’s influence in corruption and other wrongdoings, blinked on the radar of such groups.
Utilizing AMP’s security vulnerabilities, Fancy Bear sent two fake ‘password-resetting’ email messages to Aric Toler. Both these emails asked Aric to reset the password (because apparently it was now easy for an attacker to break into his account), by redirecting him to a phishing webpage, having a Google AMP domain name, that would transmit the details to the hackers.
Google have told Salon that they’ve made a number of changes to AMP, without exactly specifying the made changes. AMP’s tech lead has also blocked public comments on the GitHub bug report, containing AMP’s implementation. Following the recent hacks targeted on the journalists, instances of AMP being used an exploitation vulnerability might gain some momentum as it continues to increase its reach among the general users.
[Update] Following this news, a statement was given to Devs-Lab by Malte Ubl, Google lead for the AMP project. According to Malte, “We fixed this issue at the beginning of the year to make google.com/amp URLs safer. Now when our systems are uncertain whether a given URL is safe, we will show an interstitial informing the user that they are being redirected to another page that is potentially unsafe to click on. We are leveraging a number of security safeguards including Google’s Safe Browsing technology, which scans the web for potentially dangerous sites and warns users before they navigate to them.”
So maybe it would be safe to say, that the AMP project team have taken care of it.