A digital media outlet has just reported on a study published in the institutional repository arXiv.org of Cornell University. Researchers from the NEC European Laboratory, Carlos III University, Politecnico di Torino, and the IMDEA Telecommunications Institute detected a flaw in Google’s ad system’s counting of visits, when comparing them with the visit metrics recorded by YouTube’s own system for its videos. This reveals a discrepancy or manipulation: the system fails to distinguish between genuine clicks and fictitious clicks generated by automated machines, potentially benefiting Google under its “Pay per Click” model. This occurs because Google derives greater profits by inflating the number of visits attributed to ads displayed within YouTube videos.


These facts are of importance to the research I have been conducting since 2013, with legal and juridical support from Professor Manuel Sánchez de Diego of the UCM. In November 2013, during the development of the WauSearch search engine, I made a simple discovery affecting Google’s .JS extension codes, which are implemented on websites. These codes employ a series of security barriers based on frame windows, also known as “iframes,” that open during the execution of the aforementioned .JS code to run within them a third program or script designed to test the user’s session and verify its authenticity before performing any operation. Once these programs execute, they automatically delete the iframe window(s) from the website’s source code to leave no trace and prevent any bot from accessing reserved, private, and sensitive information. However, this protection is inadequate. Aware of this issue, I developed a bot program to experiment with this vulnerability in Google AdSense’s advertising system.


The results were positive, and immediately afterward, various automated click tests on advertisements were conducted using a program that mimics the reading behavior of an ordinary user. This confirmed de facto that it was possible not only to obtain the links of advertisements protected by Google AdSense but also to click on them automatically—all with the associated economic implications. Given the significance of this flaw, we considered it essential to bring this vulnerability in the system for counting visits to Google’s attention. Our objective was for them to acknowledge the vulnerability and, if possible, collaborate in resolving the issue.


After several interviews and the submission of evidence and additional tests, Google evasively failed to acknowledge the existence of a vulnerability in Google AdSense. Efforts to publish the research in American peer-reviewed journals with JCR impact factors have been unsuccessful. We have observed that it appears nearly impossible for the study on this vulnerability to become public, partly due to the consequences that can be inferred from the conducted experiment. One year later, it was confirmed that the issue had been detected by another research team, and it was ultimately decided to publish the complete research paper, also on the arXiv.org repository, under the title A vulnerability in Google AdSense: Automatic extraction of links to ads. The study is also available for download at the following addresses:


It should also be noted that the study provides access to the source code of the Google ad link extractor and a simple page loading and redirection routine used to simulate user behavior and click on the retrieved ads.


Media coverage