Google Adsense CSRF hole

Thursday, 27 September 2007

It doesn’t seem like you’re a web security researcher these days unless you find a security hole in Google. So I had 5 minutes spare whilst drinking my brew to find a hole in Google Adsense. I’ve reported the problem to Google and I won’t release the specific details but if you’re creative you might be able to find the poc.

Google Adsense has no CSRF protection in certain areas, it is possible for a remote attacker to do all sorts of nasty stuff like change the address details of your adsense account. I’ve tested it on my own account and I successfully appended “Test” on my address.

The poc will automatically log you onto your account and browse the Adsense site “as you” before finally posting an update to your address.

Prevention

In order to protect against this sort of stuff I have posted a couple of demos and articles to help with the process, check them out here:-

CSRF Protection part 1
CSRF Protection part 2

The entry 'Google Adsense CSRF hole' was posted on September 27th, 2007 at 9:55 am and last modified on September 27th, 2007 at 11:46 am, and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

5 Responses to “Google Adsense CSRF hole”

  1. Ronald writes:
    No. 1 — September 27th, 2007 at 4:30 pm

    How is that one different from mine Gareth?
    I did exactly the same 6 months ago, only I used GET.

    I don’t think it has something to do with releasing Google holes to be a researcher.
    All of Google is vulnerable, unlike PDP I found more, but I don’t feel like spending a single second on their site anymore. Okay it gets a ton of media attention, but it isn’t hard to find one. For me, I don’t want all this media hyping around me anymore, cause first off it doesn’t do a thing for you only that you’ll become a sort of side-show, some kind of carnivale, you knwo like: see the bearded lady! IMHO thats how I look at it.

    lol 😀

  2. pdp writes:
    No. 2 — September 27th, 2007 at 4:42 pm

    rock on!

  3. Gareth Heyes writes:
    No. 3 — September 27th, 2007 at 4:59 pm

    Hi Ronald

    I’m sorry I didn’t realise you had released the same exploit, I just wanted to point out how easy it was to find a hole.

    My comment about a security researcher was in jest 🙂 of course I don’t think I need to find one in Google, I just thought it would be funny.

  4. 0kn0ck writes:
    No. 4 — September 28th, 2007 at 7:08 am

    Good Stroke Gareth

  5. s c tan writes:
    No. 5 — December 18th, 2007 at 12:12 pm

    great blog!

«
»