we love apple – Stay N Alive

Adobe and Google Sitting in a Tree? Or Did Adobe Just Pwn Google?

There’s something really fishy going on with Adobe’s “I ♥ Apple” Ad campaign.  You might have noticed it yesterday as you were browsing websites such as TechCrunch and Google Reader.  Basically, somehow Adobe got around Google’s “no popups” ad policy for Adsense and for those on Macs and for some reason Opera web browsers.  For users visiting sites with a specific Adsense ad image installed, Adobe was displaying an ad that said “I ♥ Apple”, trying to convince users of Apple operating systems that Apple was in the wrong.  The ad was then causing a popup window on the page – I couldn’t open TechCrunch without a popup appearing, and I know TechCrunch didn’t put it there.

Aside from the existing issues of how effective such a campaign is already, what is really baffling is how Adobe was using their own Flash to get around Adsense’s security measures preventing popups.  Jimminy Fuller investigated this last night, and gave me this explanation:

Since the ad was being handled by Google Adsense, this shouldn’t have been happening.  It’s forbidden under the Adsense TOS, so I went to see if this pop-up was actually occurring.   I couldn’t recreate the issue though for one reason: the ads were selective.

Selective ads? First thing that popped into my head was that they were performing a User-Agent check, a hunch that proved fruitful, later on. I ended up rooting around and finally was able to find some rendered code for the ad, at which point I went digging into the source to see if I could find the User-Agent check.  I found that pretty quickly and noticed a little quirk where they were also messing with Opera users, I
assume because Opera also recently turned a cold shoulder to Adobe’s Flash platform.

So I spent a little time analyzing what was going on in the ad besides just the selective pop up, but couldn’t come up with anything determinate as to how they were getting the set of scripts embedded into their ad. What I did find out while analyzing their ad, was that they were using primarily javascript (ironically), lots of it, which did all the preemptive work in analyzing what your browser and OS, were, as well as if you had Flash 8, or higher, installed.  If they were able to match the User-Agent, to either a Mac or Opera, and you had Flash installed, they would force a window open that held a Flash element, otherwise the ad was only activated if you clicked upon it.

That’s the very basic analysis of what this ad was doing, but it means that either Google allowed them to do this, or that Adobe basically ignored Google’s rules, and managed to manipulate the ad System to relay this message, I assume the latter. This is quite disturbing, however, because if Adobe, without Google’s consent, can manipulate the ad code, in such a way, it means that there is a possibility for it to be used as an exploit vector. Google has since pulled the ad, it had about a 10 hour stint, but I wonder if we’ll hear anything from any of the parties involved, particularly Google or Adobe.

You can read more details of Jimminy’s evaluation here on his blog.

adobe popup

Adobe brought up this popup when you visited certain websites like Google Reader

What Jimminy found is quite disturbing.  As he said, the fact that Adobe was able to get around the popups rule either means Google had a specific relationship for this partner, in which they were willing to make an exception to the popup rule, or Adobe Pwn’d perhaps the only viable potential partner they have in the battle to come, revealing even a greater hole in Google’s code allowing other parties to potentially exploit any website with Adsense installed.

Adobe certainly has its own issues, and rightly so, but exposing flaws in Google’s ad code and taking advantage of perhaps your greatest partner isn’t the best way to fix those issues.  I really hope we hear from Adobe or Google on why these Popups were allowed.  We talk about Facebook and privacy, but if Adobe can get around Google’s safeguards, and deploy specific Javascript commands on any website that deploys Adsense, I think Google may be the one with issues here and I hope this gets fixed.