Jump to content
Login new information ×
Login new information

AdSense fraud still too easy, says Spanish boffin

Batu69

By Batu69
in Security & Privacy News

Recommended Posts

Batu69

Batu69

Posted
Posted

Uni prof goes public with two-year-old bug

A bit of code-work is all it takes to sidestep one of Google's key AdSense protection mechanisms.

That's the conclusion of Spanish researcher Manuel Blázquez, a PhD and professor at the Complutense University of Madrid.

In a paper just published at Arxiv, he says a combination of cross-site scripting (XSS) and old-fashioned Web crawling means you can obtain “the validated links of the ads published on a website”.

For an attacker, penetrating the JavaScript that's supposed to protect advertisers is a big thing, because it raises the spectre of being able to launch automated click campaigns on an advertisement – either to falsely boost the apparent performance of an ad network, or to attack an advertiser by getting Google to down-rate them in the AdSense system.

In response to previous click-fraud, the professor explains, Google's worked hard to put a kind of air-gap between an advertisement and the site hosting it.

When a Website puts show_ads.js in its HTML, AdSense generates two iFrames: the first runs integrity checks that are means to prevent XSS and protect the second iFrame that carries the ads.

Blázquez writes: “to make a valid loading of the ads in iFrame 2, permitted by iFrame 1, it is necessary to execute all the Google AdSense code and subsequently extract the link of the Iframe 2 dynamic website.”

His attack works by replacing the target site's source code to include a form (he calls it “technical1”) that then stores the URL of the second iFrame – after which, it's trivial to write JavaScript that extracts the advertisement's URL:

Blázquez has posted his code here, and there's a YouTube demo for those that speak Spanish:

Youtube Video

Blázquez writes that he demonstrated the issue to Google in 2013, but the issue still exists.

Source

Link to comment
Share on other sites
  • Replies 1
  • Views 782
  • Created
  • Last Reply
steven36

steven36

Posted
Posted

This what I was talking about ABP gets paid 40 million a year from Google to let this kind of malware thorough with ads .Also Bing has a problem too and Microsoft pays them as well . If you're ad blocker is not for you its worthless . It ether is or it isn't ..Its everything or it's nothing . :P

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...