According to new research source code manipulation can be used to penetrate the security of Google’s AdSense system, by automatically obtaining the JavaScript code which protects advertisers from click fraud.

The paper A vulnerability in Google AdSense: Automatic extraction of links to ads [PDF] by Prof. Manuel Blázquez of the Complutense University of Madrid, outlines a procedure whereby the attacker can de-obfuscate the ‘cloaked’ advertiser target links automatically and perform automated clicks of the ads, either to the benefit of the site hosting the ads – if the intention is to generate simulated commercial traffic, or to the detriment of competitor sites, if the intention is to compromise their standing with Google’s AdSense system by creating a blizzard of patently bogus ad-clicks.

The attack vector lies in the space between the two iFrames* that Google AdSense generates from the embedded JavaScript ‘show_ads.js’ within the HTML code of the web page that’s hosting the ads. Once generated, the first iFrame executes Google’s integrity verification and code-checking procedures, designed to guard against cross-scripting invasion attacks – and protecting the second iFrame, into which it will deliver the final AdSense ads.

The two iFrames which Google AdSense generates on load

The generated form ‘technical1’ facilitates the process of communication between the two iFrames, and it is here that there is scope to inveigle one’s way into the process, by rewriting the form:

$html1 = preg_replace("/<div id=\"GoogleAdSense\">/",
"<div id=\"GoogleAdSense\"> + Form technical1", $html1);

The rewritten form injects itself back into the process:

<div id="GoogleAdSense">
<div>
<form name='technical1' action='$_SERVER[PHP_SELF]' 
method='post'>
<textarea id='code1' 
name='code1'></textarea>

</form>
</div>
</div>

And JavaScript is used to extract and re-flow the URL address content in the second iFrame and move it back to ‘technical1’, which feeds it forward into iFrame 2:

<script>
window.onload = init;
function init() {          
document.getElementById('code1').
value=document.getElementById('google_ads_frame1').src;
 document.technical1.submit();
}
</script> 

At this stage the URLs are still ‘cloaked’, associated with the domain on which the JavaScript is being executed, but a regex script routine can strip this protection away:

$code = $_POST[code1];

$code = preg_replace("/\&url=.*\&adsafe/", 
"&url=http://www.anuncios.com/&adsafe", $code);
$code = preg_replace("/\&p=http.*/", 
"&p=http://www.anuncios.com", $code); 

The source code of iFrame 2 can then be obtained and its Document Object Model (DOM) analysed, with XPath used to harvest only those links which return as available:

The ad-defrauder’s lodestar – raw site links and the means to manipulate clicks on them via Google AdSense

The revealed advertiser information can be used to manipulate ad-clicks either to the benefit of the host or the detriment of competitors. The paper’s author has provided a video presentation of the technique in Spanish, as well as practical code samples which can be used to test the paper’s assertions in the wild. The video shows the author apparently influencing ad clicks on sites of his choosing, including the BBC, which runs as a commercial website outside of the United Kingdom:

BBC-Automatic-extraction-of-links-to-ads-2

According to the author Google were informed of the possibility of this kind of attack in October of 2013: In January 2014 Google neither had admitted nor denied the existence of such problem, thus to this day it has not been solved. In the present paper we want to draw the attention about this kind of vulnerabilities that may be resolved and ought to be taken into account because of the danger they entail.’ Summary-Automatic-extraction-of-links-to-ads-2

* According to a post at Stack Overflow, Google has been using HTML5’s postmessage facility to communicate between its twin AdSense iFrames for some years, though its early implementation seemed to throw minor or major errors (according to the intensity of debugging settings) until it later released an asynchronous version of the script.