Google AMP Flaw Exploited By Russian Hackers Targeting Journalists (salon.com) 57
An anonymous reader writes:
Russian hacktivist group Fancy Bear (also referred to as APT28, Sofacy, and Strontium) has been using a flaw in Google's caching of Accelerated Mobile Pages (AMP) to phish targets, Salon reports. To make matters worse, Google has been aware of the bug for almost a year but has refused to fix it... The vulnerability involves how Google delivers google.com URLs for AMP pages to its search users in an effort to speed up mobile browsing. This makes Google products more vulnerable to phishing attacks.
Conservative blogger Matthew Sheffield writes in the article that most of the known targets "appear to have been journalists who were investigating allegations of corruption or other wrongdoing by people affiliated with the Russian government." One such target was Aric Toler, a researcher and writer for the website Bellingcat who specializes in analyzing Russian media and the country's relationship with far-right groups within Europe and America... another journalist who writes frequently about Russia, David Satter, was taken in by a similar AMP phishing message... Shortly after Satter was tricked into visiting the fake website and entering his password, a program that was hosting the site logged into his Gmail account and downloaded its entire contents. Within three weeks, as the Canadian website Citizen Lab reported, the perpetrators of the hack began posting Satter's documents online, and even altering them to make opponents and critics of Russian President Vladimir Putin look bad.
Google told Salon they've "made a number of changes" to AMP -- without saying what they were. (After contacting Google for a comment, AMP's creator and tech lead blocked public comments on a Github bug report about Google's AMP implementation.) "More things ... will come on Google's side in the future and we are working with browser vendors to eventually get the origin right," AMP's tech lead wrote last February.
Jason Kint, CEO of a major web publishing trade association, told Salon that "This report of an ongoing security issue is troubling and exactly why consolidation of power and closed standards are problematic. The sooner AMP migrates to the open web and becomes less tied to the interests of Google, in every way the better."
Conservative blogger Matthew Sheffield writes in the article that most of the known targets "appear to have been journalists who were investigating allegations of corruption or other wrongdoing by people affiliated with the Russian government." One such target was Aric Toler, a researcher and writer for the website Bellingcat who specializes in analyzing Russian media and the country's relationship with far-right groups within Europe and America... another journalist who writes frequently about Russia, David Satter, was taken in by a similar AMP phishing message... Shortly after Satter was tricked into visiting the fake website and entering his password, a program that was hosting the site logged into his Gmail account and downloaded its entire contents. Within three weeks, as the Canadian website Citizen Lab reported, the perpetrators of the hack began posting Satter's documents online, and even altering them to make opponents and critics of Russian President Vladimir Putin look bad.
Google told Salon they've "made a number of changes" to AMP -- without saying what they were. (After contacting Google for a comment, AMP's creator and tech lead blocked public comments on a Github bug report about Google's AMP implementation.) "More things ... will come on Google's side in the future and we are working with browser vendors to eventually get the origin right," AMP's tech lead wrote last February.
Jason Kint, CEO of a major web publishing trade association, told Salon that "This report of an ongoing security issue is troubling and exactly why consolidation of power and closed standards are problematic. The sooner AMP migrates to the open web and becomes less tied to the interests of Google, in every way the better."
The sooner Google cans AMP the better (Score:5, Interesting)
"The sooner AMP migrates to the open web and becomes less tied to the interests of Google, in every way the better"
The sooner Google cans AMP entirely the better. It is truly awful.
Re: Sorry (Score:2)
Re: (Score:1)
Da, ya soglasen ...
I mean yes totally agree fellow freedom loving American! pigdog liberals destroy our fine motherland! Er homeland, da da homeland.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That and the 4 million MORE democrat votes for house races still resulting in a Republican house
How does that work again?
The problem is NOT that we don't reach voters!
Re: Makes Sense (Score:1)
You forgot
Global hegemony
Which is kinda the point of tfa.
"a major web publishing trade association" (Score:3)
Is it so minor that Salon couldn't name Digital Content Next (which I had to Google)?
Hello? Project Zero? (Score:3)
If you guys really don't treat Google any differently than companies which aren't your employers, this seems like something you should've been all over.
Apple's stripping AMP-links (Score:5, Interesting)
in IOS 11:
https://www.macrumors.com/2017... [macrumors.com]
But hey, they're a walled garden and just after your money.
Re: (Score:2)
It sounds like Google specifically requested this from all browser makers [ycombinator.com] - Safari may just have been the first to implement.
Perhaps the request came about because of this flaw?
IP and Language are not the source (Score:3)
We all know from reports, that IP address and language usage are most definitely not the source of those attacks. They could come from any where in the world. Lets be brutally honest and real, if I wanted to hack the US government, I would do it from a bootable thumb drive, which would be well hidden when not in use and I would route all those attacks so that they would appear to come from Russia or China and I would tend to use tools sourced from those locations to better cover up tracks. How do you source an attack from a foreign country, to easy attack a noobs computer in that foreign country and you control it to send out your attacks. Russians would have to be pretty stupid to do that attack direct from their home computer. But, ah ha, you claim why would Russia care if hackers attack the US because criminals are criminals and they are weak to temptation and they will hack locally as well as abroad. Their local attacks, they of course would do abroad, from a bot, probably the US.
Private military/security contractors are notoriously corrupt, lie, cheat and steal to be able to factually 'kill' for profit. Now would a private military/security contractor be open to being paid millions to attack local companies, news agencies, pretty much anybody? Of course (they already 'kill' for profit) and would they be smart enough to source that local attack from an overseas bot (of course), so news article an empty crock of shite.
Make no claim about the attacks without localised proof, want to say Russia, well, where is the evidence of a Russian at the keyboard, in person actually typing in the commands, a russian owned computer is not a russian, it is just a potential bot. Want real computer law enforcement, then start crafting computer crime investigation and prosecution treaties you fuck knuckle moronic dick heads (oh that's right, you fucking pieces of shit, you can't do that because you can not hide your espionage activities behind those criminal activities, after all those espionage activities are criminal activities and in reality often nothing more than that because private contractors who already 'kill' for profit, so what is a little computer hacking to them).
Re: IP and Language are not the source (Score:1)
they're not doing it from their "home" computer. fancy bear is a whole ru government department with several thousand staff.
Re: IP and Language are not the source (Score:1)
why go to all that effort? being known as the most elite state sponsored cyber division globally is part of their strategy.
Kinda like a navy seals badge.
Should navy seals go to as much effort to hide the fact they are navy seals?
Re: (Score:2)
The proof of this of course being your imagination. Nothing but a wild scheme by the Clinton Crime Clan to stay out of prison.
I was confused (Score:2)
I was confused by the summary, since I have only seen AMP links in my news app. The problem is that you can send links to AMP stories, and those links have a google.com URL. This was used for spear-phishing these journalists.
On Oct. 12, 2016, Toler received an email supposedly from Google alerting him that he had recently changed his security settings to enable older email programs to access his account. “Please be aware that it is now easier for an attacker to break into your account,” the message warned. It invited him to click on a Google AMP URL redirected to a fake webpage designed to capture his email credentials and transmit them to hackers.
It's pretty sneaky, and really brings home that you should never, ever click on email links.