Google Adsense flaw revealed

Google fix vulnerability

Well I have some good news to report about a vendor for a change, Google have been fantastic when I disclosed a vulnerability in Adsense to them. They were always in communication with me and keeping me informed of the status. They have also released a fix for the vulnerability in super quick time and I’ve had a look and it seems to be a good solution. I really wasn’t expecting this sort of response after dealing with companies like Apple.

Exploit details

The exploit was really simple and used my favorite weapon of choice the iframe! It automatically logged the user onto their Adsense account before simulating clicks using Javascript on the various pages, I did this to show the functionality of the iframe and how it can be used to perform actions one after another. Once the relevant page was found the iframe was then sent a form submission via the parent window using the target attribute to target the correct iframe window.

Proof of concept available here (now fixed of course)

Similar flaws found

Ronald has found a similar flaw in Adsense which can reset your password and it can be found here:-
Ronald’s Adsense POC

One Response to “Google Adsense flaw revealed”

  1. Tim Hawkins writes:

    Apple – hated! Everything cool in the gadget / cpu market has an apple logo.

    Recently I had a spidering issue with a site I was working on, I sent a question to Yahoo and had a prompt response.