A bit of code-work is all it takes to sidestep one of Google's key AdSense protection mechanisms.
That's the conclusion of Spanish researcher Manuel Blázquez, a PhD and professor at the Complutense University of Madrid.
In a paper just published at Arxiv, he says a combination of cross-site scripting (XSS) and old-fashioned Web crawling means you can obtain “the validated links of the ads published on a website”.
In response to previous click-fraud, the professor explains, Google's worked hard to put a kind of air-gap between an advertisement and the site hosting it.
When a Website puts show_ads.js in its HTML, AdSense generates two iFrames: the first runs integrity checks that are means to prevent XSS and protect the second iFrame that carries the ads.
Blázquez writes: “to make a valid loading of the ads in iFrame 2, permitted by iFrame 1, it is necessary to execute all the Google AdSense code and subsequently extract the link of the Iframe 2 dynamic website.”
Blázquez has posted his code here, and there's a YouTube demo for those that speak Spanish:
Blázquez writes that he demonstrated the issue to Google in 2013, but the issue still exists. ®