Ads By Google Susceptible To XSS Attacks

Perhaps my mind is a bit scarred from all that I know and have experience, but the other day a friend of mine informed me how he had installed Ads by Google to start generating new revenue for his website, and the first thought that popped into my mind was how wide open to attack Google ads made his security headers and website in general. I know, totally normal thought process – right?

I say this because in order to display an ads content, Google Ads uses a mixture of JavaScript embedded within HTML, inserted into either into the body of a blog post or website security header itself. For example, the code looks something like this:

Image may contain: text

Installing Ads by Google Is A Built In Security Flaw

As Google Ad Automation‘s own web page even states, “Google Ads scripts provide a way to programmatically control your Google Ads data using simple JavaScript in a browser-based IDE.” Adding that “Only entry-level familiarity with JavaScript is needed.” What Google doesn’t explain though, is that these JavaScript requests are sent through http transports and rely on http headers to properly display the ads content. Moreover, these scripts come from 3rd parties completely un-affiliated with your site or site’s security structure/rules, essentially creating a giant backdoor/window into your website completely outside of your control. Moreover, considering that Google utilizes the simplest and most basic structure of JavaScript to form their ads, for the same reason, this also makes the code incredibly easy to compromise – if you are into that sort of string 😉

Granted I go a little overboard with my own security measures, but I’ve made it a point to block bad query strings, specifically to block Cross-Site Scripting (XSS) attacks from effecting my site. I have also taken the additional steps of installing https exclusive security headers through HSTS, while editing my website on Mozilla with the NoScript browser add-on enabled – just in case my firewall doesn’t detect or block every XSS attack. For reasons I have already explained, adding Ads by Google would essentially throw both of these measures right out the window.

Quite simply, the way Google structures their codes in order to enable ads on your website is a built in Cross-Site Scripting (XSS) attack just waiting to happen. Not only do these ads allow hackers to bypass a secured connection through your pages security headers, but the embedded JavaScript within the body of an article post might as well just create a giant hole/window right in the middle of your website – allowing for the direct injection of malicious code/script. Consequently enough, this is also why you will never see Google ads ever featured on this site.

If you are a little less paranoid, not running a security based web business and believe the added revenue may be worth the added security risk, then by all means go make your money – afterall, millions of other people already have. Hell, even I know I’m going to have to suck it up one day and start subscribing to their ads, just not here for this site.

Published by

Brian Dunn

Writer, Researcher Owner: Rogue Media Labs | Rogue Security Labs (929)-319-2570 BrianDunn@RogueSecurityLabs.Ltd

Leave a Reply

Your email address will not be published.