Google Adsense flaw revealed
Thursday, 11 October 2007
Google fix vulnerability
Well I have some good news to report about a vendor for a change, Google have been fantastic when I disclosed a vulnerability in Adsense to them. They were always in communication with me and keeping me informed of the status. They have also released a fix for the vulnerability in super quick time and I’ve had a look and it seems to be a good solution. I really wasn’t expecting this sort of response after dealing with companies like Apple.
Exploit details
The exploit was really simple and used my favorite weapon of choice the iframe! It automatically logged the user onto their Adsense account before simulating clicks using Javascript on the various pages, I did this to show the functionality of the iframe and how it can be used to perform actions one after another. Once the relevant page was found the iframe was then sent a form submission via the parent window using the target attribute to target the correct iframe window.
Proof of concept available here (now fixed of course)
Similar flaws found
Ronald has found a similar flaw in Adsense which can reset your password and it can be found here:-
Ronald’s Adsense POC
No. 1 — October 11th, 2007 at 10:02 am
Apple – hated! Everything cool in the gadget / cpu market has an apple logo.
Recently I had a spidering issue with a site I was working on, I sent a question to Yahoo and had a prompt response.