adsense – Stay N Alive

Adobe and Google Sitting in a Tree? Or Did Adobe Just Pwn Google?

There’s something really fishy going on with Adobe’s “I ♥ Apple” Ad campaign.  You might have noticed it yesterday as you were browsing websites such as TechCrunch and Google Reader.  Basically, somehow Adobe got around Google’s “no popups” ad policy for Adsense and for those on Macs and for some reason Opera web browsers.  For users visiting sites with a specific Adsense ad image installed, Adobe was displaying an ad that said “I ♥ Apple”, trying to convince users of Apple operating systems that Apple was in the wrong.  The ad was then causing a popup window on the page – I couldn’t open TechCrunch without a popup appearing, and I know TechCrunch didn’t put it there.

Aside from the existing issues of how effective such a campaign is already, what is really baffling is how Adobe was using their own Flash to get around Adsense’s security measures preventing popups.  Jimminy Fuller investigated this last night, and gave me this explanation:

Since the ad was being handled by Google Adsense, this shouldn’t have been happening.  It’s forbidden under the Adsense TOS, so I went to see if this pop-up was actually occurring.   I couldn’t recreate the issue though for one reason: the ads were selective.

Selective ads? First thing that popped into my head was that they were performing a User-Agent check, a hunch that proved fruitful, later on. I ended up rooting around and finally was able to find some rendered code for the ad, at which point I went digging into the source to see if I could find the User-Agent check.  I found that pretty quickly and noticed a little quirk where they were also messing with Opera users, I
assume because Opera also recently turned a cold shoulder to Adobe’s Flash platform.

So I spent a little time analyzing what was going on in the ad besides just the selective pop up, but couldn’t come up with anything determinate as to how they were getting the set of scripts embedded into their ad. What I did find out while analyzing their ad, was that they were using primarily javascript (ironically), lots of it, which did all the preemptive work in analyzing what your browser and OS, were, as well as if you had Flash 8, or higher, installed.  If they were able to match the User-Agent, to either a Mac or Opera, and you had Flash installed, they would force a window open that held a Flash element, otherwise the ad was only activated if you clicked upon it.

That’s the very basic analysis of what this ad was doing, but it means that either Google allowed them to do this, or that Adobe basically ignored Google’s rules, and managed to manipulate the ad System to relay this message, I assume the latter. This is quite disturbing, however, because if Adobe, without Google’s consent, can manipulate the ad code, in such a way, it means that there is a possibility for it to be used as an exploit vector. Google has since pulled the ad, it had about a 10 hour stint, but I wonder if we’ll hear anything from any of the parties involved, particularly Google or Adobe.

You can read more details of Jimminy’s evaluation here on his blog.

adobe popup

Adobe brought up this popup when you visited certain websites like Google Reader

What Jimminy found is quite disturbing.  As he said, the fact that Adobe was able to get around the popups rule either means Google had a specific relationship for this partner, in which they were willing to make an exception to the popup rule, or Adobe Pwn’d perhaps the only viable potential partner they have in the battle to come, revealing even a greater hole in Google’s code allowing other parties to potentially exploit any website with Adsense installed.

Adobe certainly has its own issues, and rightly so, but exposing flaws in Google’s ad code and taking advantage of perhaps your greatest partner isn’t the best way to fix those issues.  I really hope we hear from Adobe or Google on why these Popups were allowed.  We talk about Facebook and privacy, but if Adobe can get around Google’s safeguards, and deploy specific Javascript commands on any website that deploys Adsense, I think Google may be the one with issues here and I hope this gets fixed.

Google Re-Enables Adsense on RSS Feeds in Buzz

Some time in the last hour or two it appears that the Google Buzz team has re-enabled AdSense ads in RSS Feeds in Google Buzz.  Recently I wrote about this, criticizing the service for stripping out ads a blog author was including and importing into Google Buzz.  This included both RSS feeds directly imported into Google Buzz and those shared via Google Reader.  I argued this was a violation of the authors’ copyrights and their intended method of content distribution.

Google responded quickly, saying they had confirmed the problem, and expected to have it resolved “within the week”.  Apparently they meant a month, but I’m glad it’s fixed.  As both a book author and blogger, I always hate to see my content being modified in ways I had not agreed to.  It is a strict violation of authors’ copyright, and not to mention “evil” in a way.  It’s nice to see Google recognizes that and has fixed the problem.

If all goes well, if you visit my Google Buzz profile, you should see an ad now, right below this text.  Are you seeing the same?