A vulnerability in Google AdSense: Automatic extraction of links to ads
This exposes a vulnerability in Google AdSense that could be exploited for ad fraud, impacting advertisers and publishers.
The researchers tackled the problem of bypassing Google AdSense security by developing a method to automatically extract validated ad links using XSS and web crawler techniques, enabling fraudulent ad clicks from different IP addresses via hidden iframes.
On the basis of the XSS (Cross Site Scripting) and Web Crawler techniques it is possible to go through the barriers of the Google Adsense advertising system by obtaining the validated links of the ads published on a website. Such method involves obtaining the source code built for the Google java applet for publishing and handling ads and for the final link retrieval. Once the links of the ads have been obtained, you can use the user sessions visiting other websites to load such links, in the background, by a simple re-direction, through a hidden iframe, so that the IP addresses clicking are different in each case.