A digital media outlet has just reported on a study published in the institutional repository arXiv.org of Cornell University. Researchers from the NEC European Laboratory, Universidad Carlos III, Politecnico di Torino, and the IMDEA Telecommunications Institute detected a flaw in Google’s ad system’s counting of visits, when comparing them with the visit metrics recorded by YouTube’s internal system for its videos. This reveals a discrepancy or manipulation: the system fails to distinguish between genuine clicks and fictitious clicks generated by automated machines, which could be profitable for Google under its “Pay-per-Click” model. This occurs because Google derives greater revenue from counting a higher number of visits to ads displayed within YouTube videos.

These facts are of importance to the research I have been conducting since 2013, with the legal and juridical support of Professor Manuel Sánchez de Diego from UCM. In November 2013, during the development of the WauSearch search engine, I made a simple discovery affecting Google’s .JS extension codes, which are implemented on websites. These codes employ a series of security barriers based on frame windows, also known as «iframe», that open during the execution of the aforementioned .JS code to run within them a third code, program, or script designed to test the user’s session and verify their authenticity before performing any type of operation. Once these programs execute, they automatically erase the iframe window(s) from the website’s source code, leaving no trace and preventing any bot from accessing reserved, private, and sensitive information. However, this protection is inadequate. Therefore, aware of this vulnerability, I developed a bot program to experiment with this flaw in Google Adsense’s advertising system.

The result was positive, and immediately afterward, various automated click tests on advertisements were conducted using a program that mimics the reading behavior of a normal user. This effectively confirmed that it was possible not only to obtain links from ads protected by Google AdSense but also to click on them automatically, with all the associated economic implications. Given the significance of this finding, we considered it necessary to inform Google of this vulnerability in the system for counting visits. Our objective was for them to acknowledge the vulnerability and, if possible, collaborate in resolving the issue.

After several interviews and the submission of evidence and additional tests, Google avoided acknowledging the existence of a vulnerability in Google AdSense. Efforts to publish the research in American peer-reviewed journals with JCR impact factors have been unsuccessful. We have observed that it appears nearly impossible for the study on this vulnerability to become public, partly due to the consequences that can be inferred from the conducted experiment. A year later, it was confirmed that the issue had been detected by another research team, and it was decided to definitively publish the full research paper, also on the arXiv.org repository, under the title «A vulnerability in Google AdSense: Automatic extraction of links to ads». The study is also available for download at the following addresses:

  1. A vulnerability in Google AdSense: Automatic extraction of ad links. paper_vulnerabilidad-google-adsense_es.pdf
  2. A vulnerability in Google AdSense. Automatic extraction of links to ads. paper_vulnerabilidad-google-adsense_en.pdf

It should also be noted that the study provides access to the source code of the ad link extractor program and a simple page loading and redirection routine that was used to simulate user behavior and perform clicks on the retrieved ads. Proof of automatic ad link extraction [software_google-ads-extractor.zip ]

Media Impact

  1. Anderson, Martin. 2015. Google AdSense click fraud made possible by uncloaking advertisers’ sites. The Stack. https://thestack.com/security/2015/09/28/google-adsense-click-fraud-iframe-blazquez/
  2. Chirgwin, Richard. 2015. AdSense fraud still too easy, says Spanish boffin. The Register. http://www.theregister.co.uk/2015/09/29/adsense_fraud_still_too_easy_says_spanish_boffin/
  3. SecurityLab. 2015. A researcher was able to bypass Google AdSense security mechanisms = Исследователь смог обойти механизмы защиты в Google AdSense. http://www.securitylab.ru/news/474852.php
  4. Mikhail, Diakov. 2015. The tricks for AdSense are still very easy = Cheating in AdSense is still very easy. ThreatPost. https://threatpost.ru/moshennichat-v-adsense-vse-eshhe-ochen-legko/12281/
  5. Pingback: Blog elhacker.net. 2015. Vulnerability in the computation of clicks in Google AdSense. http://blog.elhacker.net/2015/09/vulnerabilidad-en-el-computo-de-los-clicks-google-adsense-robots.html
  6. Baker, H. 2015. Google AdSense vuln de-obfuscates ad links for click fraud. Cryptography@metzdowd.com. http://permalink.gmane.org/gmane.comp.encryption.general/24598