UPDATE: From Google’s Malte Ubl, Google lead for the AMP project:
Contrary to the claims in the story, we fixed this issue at the beginning of the year to make google.com/amp URLs safer. Now when our systems are uncertain whether a given URL is safe, we will show an interstitial informing the user that they are being redirected to another page that is potentially unsafe to click on (https://screenshot.googleplex.com/BeF1frLJ2QN). We are leveraging a number of security safeguards including Google’s Safe Browsing technology, which scans the web for potentially dangerous sites and warns users before they navigate to them.
[JOE:]I appreciate Malte reaching out on twitter, and through email. But still wouldn’t consider the solution above an end all at this issue. Especially since Ubl has a history of brushing aside security concerns, “I don’t agree that an unsophisticated user could be fooled by this.”
There is a security bug that is affiliated with Google’s Accelerated Mobile Pages.
Google has been pushing for widespread adoption of their Accelerated Mobile Pages, otherwise known as AMP. This push came as their way to market the optimization of mobile webpages on mobile devices. AMP was designed with the mobile user in mind, as the technology allows for pages to load faster on mobile devices.
While Google has been heavily promoting AMP, it remains a controversial topic in the web page industry with primary concerns regarding the obscuring of true URLs, restricting the user interface, and promoting searchers to stay on the google site.
Experts argue that AMP has allowed spam and fake news companies to mimic what legitimate sources look like, thanks to the limited interface features. Now, these spam sites look incredibly similar, making it difficult for consumers to tell the difference.
Not only are the pages giving way to fake news opportunities, it’s also becoming a target for cybercriminals who use phishing to steal account information. Phishing is a common way for hackers to get private information as their alerts are created to look like security measures from legitimate companies. Unsuspecting victims then visit these websites where the sole purpose if the collect passwords.
As phishing continues to grow in popularity, internet experts preach of the importance of never clicking on password reset links that take the user to a new domain. Unfortunately, due to the addition of AMP pages, Google has unwittingly made consumers more vulnerable to such schemes.
As the most common advice that consumers receive is to confirm the domain in the address bar, AMP pages allow malicious sites to use a google.com address before linking to a new site.
While Google attempted to defend AMP, well-known cybercriminal groups, like Fancy Bear, were already exploiting these weaknesses, resulting in data breaches.
Looking for ways to safeguard yourself against this security bug? Reach out to Hall Analysis for more information.