This article is more than 1 year old

AdSense fraud still too easy, says Spanish boffin

Uni prof goes public with two-year-old bug

A bit of code-work is all it takes to sidestep one of Google's key AdSense protection mechanisms.

That's the conclusion of Spanish researcher Manuel Blázquez, a PhD and professor at the Complutense University of Madrid.

In a paper just published at Arxiv, he says a combination of cross-site scripting (XSS) and old-fashioned Web crawling means you can obtain “the validated links of the ads published on a website”.

For an attacker, penetrating the JavaScript that's supposed to protect advertisers is a big thing, because it raises the spectre of being able to launch automated click campaigns on an advertisement – either to falsely boost the apparent performance of an ad network, or to attack an advertiser by getting Google to down-rate them in the AdSense system.

In response to previous click-fraud, the professor explains, Google's worked hard to put a kind of air-gap between an advertisement and the site hosting it.

When a Website puts show_ads.js in its HTML, AdSense generates two iFrames: the first runs integrity checks that are means to prevent XSS and protect the second iFrame that carries the ads.

Blázquez writes: “to make a valid loading of the ads in iFrame 2, permitted by iFrame 1, it is necessary to execute all the Google AdSense code and subsequently extract the link of the Iframe 2 dynamic website.”

His attack works by replacing the target site's source code to include a form (he calls it “technical1”) that then stores the URL of the second iFrame – after which, it's trivial to write JavaScript that extracts the advertisement's URL:

Blázquez has posted his code here, and there's a YouTube demo for those that speak Spanish:

Youtube Video

Blázquez writes that he demonstrated the issue to Google in 2013, but the issue still exists. ®

More about


Send us news

Other stories you might like