Published 18 years 7 months ago • Last updated March 22, 2025 • ⏱️ 2 min read
Well I have some good news to report about a vendor for a change, Google have been fantastic when I disclosed a vulnerability in Adsense to them. They were always in communication with me and keeping me informed of the status. They have also released a fix for the vulnerability in super quick time and I've had a look and it seems to be a good solution. I really wasn't expecting this sort of response after dealing with companies like Apple.
The exploit was really simple and used my favorite weapon of choice the iframe! It automatically logged the user onto their Adsense account before simulating clicks using Javascript on the various pages, I did this to show the functionality of the iframe and how it can be used to perform actions one after another. Once the relevant page was found the iframe was then sent a form submission via the parent window using the target attribute to target the correct iframe window.
Proof of concept available here (now fixed of course)
Ronald has found a similar flaw in Adsense which can reset your password and it can be found here:- Ronald's Adsense POC