Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Security

Google AdSense Click Fraud Made Possible By Uncloaking Advertisers' Sites 50

An anonymous reader writes: A Spanish researcher claims to have uncovered a vulnerability in the security procedures of Google's AdSense program which would allow a third party to manipulate clicks on Google's syndicated ad service by 'de-cloaking' the obfuscated advertiser URLs that Google AdSense placements provide as links. He has also provided downloadable PHP files to show the exploit in action.
This discussion has been archived. No new comments can be posted.

Google AdSense Click Fraud Made Possible By Uncloaking Advertisers' Sites

Comments Filter:
  • Java != javascript (Score:5, Interesting)

    by agm ( 467017 ) on Monday September 28, 2015 @04:27PM (#50615937)

    The document mentioned in the summary repeatedly uses the term "Java" when they mean "javascript". That's such a rookie mistake that it's difficult to take anything else they say seriously.

    • The document mentioned in the summary repeatedly uses the term "Java" when they mean "javascript". That's such a rookie mistake that it's difficult to take anything else they say seriously.

      Yeah, mixing up "java" and "javascript" is kind of a conversation-stopper as far as I'm concerned. It makes my Credibility-O-Meter drop into the negative numbers.

      What he's outlined may well be true, but damn, that's is the kind of mistake that makes you wince.

      • by Xenx ( 2211586 )

        that's is the kind of mistake that makes you wince.

        I don't know if I should laugh or wince at that mistake.

    • by Jack9 ( 11421 )

      I think Java is being used correctly (in the PDF/paper http://arxiv.org/pdf/1509.0774... [arxiv.org] ) and the article linked, does not confuse the terms.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        It's absolutely not. Look at Figure 1 of the PDF you linked. They show JavaScript code (that is clearly identified as such for someone who doesn't even know what it is), but call it Java code. They even go on to call JavaScript files Java files. These are two totally different things. I didn't bother reading any more, but I am sure this is consistently wrong throughout the paper.

      • I think Java is being used correctly (in the PDF/paper http://arxiv.org/pdf/1509.0774... [arxiv.org] ) and the article linked, does not confuse the terms.

        You're mistaken. They include the source. It's definitely javascript despite the article referencing it as a "Google Java Applet". Maybe he wrote the article in Yahoo Go on his Microsoft iPad.

      • I think Java is being used correctly (in the PDF/paper

        Maybe this brief quote will clear things up:

        The java file "show_ads.js" embeds the ads in the target website HTML code once it has been completely loaded in the browser.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Meh... half the people on this site still use the term "hacker" over "cracker."

    • Comment removed based on user account deletion
  • by Anonymous Coward

    OH NO! NOT... PHP FILES?!?!?! What will we do?!?!?! Gaah, php files.....

  • There are ways to defraud The Google? That's unpossible!

  • This is just another example of how security through obscurity will never work. At the end of the day the client browser ends up with a URL for the user to click on to view the ad. No amount of obfuscation or iframe shell games can change this fact. Game over.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...