Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementation of an AMP Cache Removal Feature for Enhanced Security against Illegal Content on Compromised Sites #39704

Open
jefrymey opened this issue Dec 19, 2023 · 9 comments
Assignees

Comments

@jefrymey
Copy link

jefrymey commented Dec 19, 2023

Description

I am reaching out as a representative of the ANTI ONLINE GAMBLING team from Pelita Bangsa University, working in collaboration with the Ministry of Communication and Information Technology of Indonesia. We've been tackling the issue of governmental and educational sites hijacked for illegal gambling, with over 701 such instances identified as of December 19, 2023.

The misuse of AMP by these hacked sites is alarming, as AMP pages remain active in Google's cache even after the primary sites are taken down. This creates a false impression that the sites are still legitimate, misleading citizens and damaging the credibility of our institutions. The AMP pages are effectively aiding hackers by staying accessible via Google SERPs despite site suspension, takedowns, and error statuses like 404 and 403.

Our efforts to combat this, including reporting to hosting services, direct communication with site owners, and using Google’s content removal service, have yielded limited success. The process is slow, manual, and often hindered by the hackers' persistent access to the Google Search Console of the affected sites.

Proposed Feature:
I urge the AMPdev team to consider a feature that mirrors the functionality of Google's content removal tool but is specifically designed for AMP pages. When a site is confirmed to be inactive or compromised, a swift review process should follow, leading to the disconnection of its AMP cache within 24 hours. This would prevent the AMP version of the site from being served to users, thereby protecting them from fraudulent or harmful content.

Alternatives Considered

Current methods, including Google's removal tool, are not fully equipped to address the specific challenges posed by AMP pages. The proposed feature would fill this gap, providing a targeted and streamlined solution for AMP cache issues related to security breaches.

Additional Context

This feature is crucial not just for Indonesia but for any country facing similar challenges. It would significantly improve the security and trustworthiness of the AMP ecosystem, ensuring that AMP continues to serve its purpose without being exploited by malicious actors.

I am willing to provide further information and collaborate closely with the AMPdev team to see this feature implemented. My contact is [email protected] (JEFRY MEY SENDY).

@jefrymey
Copy link
Author

jefrymey commented Jan 7, 2024

Still no respond.....

@erwinmombay
Copy link
Member

heya @jefrymey apologies for the late reply as a lot of people were out for the holidays. thank you for this detailed report. I'll get back to you with a response after consulting some folks internally

@jefrymey
Copy link
Author

Thankyou ^^

@jefrymey
Copy link
Author

Hey @erwinmombay, Hope you're doing well. Just checking in about the AMP Cache Removal feature (Issue #39704). Any news on your end about this? We're really keen to know how things are progressing and if there's an estimated timeline for a decision or action.

Thanks

@erwinmombay erwinmombay self-assigned this Mar 7, 2024
@erwinmombay
Copy link
Member

heya @jefrymey I'll try and give a quick response to this. my apologies

@erwinmombay
Copy link
Member

@jefrymey Follow these instructions to fully remove both the hijacked AMP and non-AMP versions of your pages from Google.
https://developers.google.com/search/docs/crawling-indexing/amp/remove-amp#remove-all-content
The Google AMP Cache will eventually update automatically, but you can accelerate the process with the following API.
https://developers.google.com/amp/cache/update-cache

The update-cache should allow y'all to take down the sites. Let us know how it goes for you

@jefrymey
Copy link
Author

jefrymey commented Mar 8, 2024

Thanks, i will check and learn it, thankyou for your reply ^^

@jefrymey
Copy link
Author

jefrymey commented Mar 8, 2024

But wait, this one u give me

@jefrymey Follow these instructions to fully remove both the hijacked AMP and non-AMP versions of your pages from Google. https://developers.google.com/search/docs/crawling-indexing/amp/remove-amp#remove-all-content The Google AMP Cache will eventually update automatically, but you can accelerate the process with the following API. https://developers.google.com/amp/cache/update-cache

The update-cache should allow y'all to take down the sites. Let us know how it goes for you

But wait, this one you give me is for the site owner, and im not the owner.
my problem & request is , can AMP Dev develop any tools that similar like this feature from google : Refresh Outdated Content?
But the only difference is like this :

  • feature remove outdate content from google have final decision to remove that search result from google (because the page is inactive)
  • and this feature i request from AMP Dev is to have final decision to remove AMP Connection from that page that already inactive

why?:
using only remove outdated content is not 100% works because sometimes we have this problem :

  1. Hacker still have access to google search console (even the main page already supended *AMP Still active because connecting to different Domain like this thread : #39870), and they can easily cancel our request of remove that we do
  2. WEBSITE OWNER is hard to contact (95% of website that we contact is hard to get connected)
  3. Some website owner sometimes have deal with this hacker to trade money with their website pages

Please, we need this feature

@erwinmombay
Copy link
Member

erwinmombay commented Mar 15, 2024

Gotcha, thanks for explaining further @jefrymey let me get back to you on this.

A few additional questions so i can relay the information properly

  1. could you explain to me what entity y'all represent in this scenario?
  2. Have you gotten in contact with the website owner at all?
  3. for "feature remove outdate content from google have final decision to remove that search result from google (because the page is inactive)" and "and this feature i request from AMP Dev is to have final decision to remove AMP Connection from that page that already inactive" -- how would verification work here though?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants
@erwinmombay @jefrymey and others