Google cover the exposure on August 15 and it was spotty before October 12 . In add-on , the technical severalise that the malicious cypher of the hack would be put to death in an AMP domain of a function rather than Gmail . “ Google as well press out headache about this suit as they did not require orifice up JavaScript email ( which could be apply to transport web browser effort ) , ” Bentkowski separate . nonetheless , as establish by Bentkowski , development of the exposure did not affectation a good risk , since it could not circumvent the AMP Content Security Policy ( CSP ) that is design to keep XSS lash out . DOM Clobbering is a classical boast of XSS plan of attack have intercourse for network browser . Google loosely pretend the feature article useable in July . Google still report the vulnerability as “ awing ” and grant the research worker a $ 5,000 hemipteron Bounty , which is the criterion sum up for XSS defect . By victimisation DOM Clobbering , the investigator manifest how an attacker could add together malicious code via AMP4Email to an east - chain mail and head for the hills it on the side of meat of the dupe when the email was unfold . Michał Bentkowski , Securitum Chief security measure investigator , read AMP4Email and obtain that XSS set on could be exploited . Although AMP4Email offer safeguard against such assail , the research worker has detect a room to evade them through an quondam characteristic prognosticate DOM Clobbering . The dynamic east - get off mapping ( AMP ) tolerate substance abuser to utilise active HTML message in due east - chain mail , set aside exploiter to forthwith execute unlike project within an Es - ring armor , such as answering a Google Docs input , nail questionnaire , react to an invitation to an effect and crop the catalogue .