Google AdSense Click Fraud Made Possible By Uncloaking Advertisers' Sites

An anonymous reader writes: A Spanish researcher claims to have uncovered a vulnerability in the security procedures of Google's AdSense program which would allow a third party to manipulate clicks on Google's syndicated ad service by 'de-cloaking' the obfuscated advertiser URLs that Google AdSense placements provide as links. He has also provided downloadable PHP files to show the exploit in action.

Java != javascript

[agm]

The document mentioned in the summary repeatedly uses the term "Java" when they mean "javascript". That's such a rookie mistake that it's difficult to take anything else they say seriously.

Re:Java != javascript

[JustAnotherOldGuy]

The document mentioned in the summary repeatedly uses the term "Java" when they mean "javascript". That's such a rookie mistake that it's difficult to take anything else they say seriously.

Yeah, mixing up "java" and "javascript" is kind of a conversation-stopper as far as I'm concerned. It makes my Credibility-O-Meter drop into the negative numbers.

What he's outlined may well be true, but damn, that's is the kind of mistake that makes you wince.

Re:Java != javascript

[Jack9]

I think Java is being used correctly (in the PDF/paper http://arxiv.org/pdf/1509.0774... ) and the article linked, does not confuse the terms.

Re:Java != javascript

It's absolutely not. Look at Figure 1 of the PDF you linked. They show JavaScript code (that is clearly identified as such for someone who doesn't even know what it is), but call it Java code. They even go on to call JavaScript files Java files. These are two totally different things. I didn't bother reading any more, but I am sure this is consistently wrong throughout the paper.

Re:Java != javascript

Meh... half the people on this site still use the term "hacker" over "cracker."

Re:Java != javascript

[Xenx]

that's is the kind of mistake that makes you wince.

I don't know if I should laugh or wince at that mistake.

Re:Java != javascript

[phantomfive]

Nobody uses "cracker" in that sense anymore, get over it.

Yeah, kind of a weird thing, right?
We have hack-a-day, hacker-space, life-hacker, all kinds of things where the MIT meaning of the word "hacker" has entered into the mainstream.
And yet the word "hacker" as a malicious attacker is also perfectly viable in mainstream.

Thus we have a word that is both extremely negative and fairly positive, and yet collisions are rare. People always seem to be able to figure out what is meant.

Re:Java != javascript

[Bing+Tsher+E]

Well, 'people on the inside' easily figure out what is meant. The regular folks just back slowly out of the room. That's appealing for people 'on the inside' who want to remain an elite.

Re:Java != javascript

[kelemvor4]

I think Java is being used correctly (in the PDF/paper http://arxiv.org/pdf/1509.0774... ) and the article linked, does not confuse the terms.

You're mistaken. They include the source. It's definitely javascript despite the article referencing it as a "Google Java Applet". Maybe he wrote the article in Yahoo Go on his Microsoft iPad.

Re:Java != javascript

[Jack9]

I am mistaken. Apologies.

Re:Java != javascript

[hairyfeet]

Uhhh the guy IS Spanish, isn't it possible its simply a translation error or due to the fact English isn't his native tongue?

Re:Java != javascript

[Fnord666]

I think Java is being used correctly (in the PDF/paper

Maybe this brief quote will clear things up:

The java file "show_ads.js" embeds the ads in the target website HTML code once it has been completely loaded in the browser.

oh no

OH NO! NOT... PHP FILES?!?!?! What will we do?!?!?! Gaah, php files.....

Re:oh no

[rudy_wayne]

Except the link that says "downloadable PHP files" takes you to a PDF.

Re:oh no

[Fnord666]

Except the link that says "downloadable PHP files" takes you to a PDF.

Here is a link to the source code mentioned.

Unbelievable

[JustAnotherOldGuy]

There are ways to defraud The Google? That's unpossible!

Re:Unbelievable

[Drakona4]

Sarcasm?

Re:Unbelievable

[JustAnotherOldGuy]

Sarcasm?

Heaven forbid, lol.

Security Through Obscurity

[Fnord666]

This is just another example of how security through obscurity will never work. At the end of the day the client browser ends up with a URL for the user to click on to view the ad. No amount of obfuscation or iframe shell games can change this fact. Game over.

Re:UBlock & Ghostery don't do as much

[thoromyr]

dang. its a shame I don't have mod points. My rule is always to find posts to mod up, never mod down. But this drivel should be modded down.

go apk! fight the power! you are not alone! (well, yes, you are very very alone in that basement)