HOLY FISH !!!! this is what i got in return !!!

[blockquote]
Hello Rohan Pinto,

While going through our records recently, we found that your AdSense
account has posed a significant risk to our AdWords advertisers. Since
keeping your account in our publisher network may financially damage
our advertisers in the future, we've decided to disable your account.

Please understand that we consider this a necessary step to protect the
interests of both our advertisers and our other AdSense publishers. We
realize the inconvenience this may cause you, and we thank you in
advance for your understanding and cooperation.

If you have any questions about your account or the actions we've
taken, please do not reply to this email. You can find more information
by visiting
https://www.google.com/adsense/support/bin/answer.py?answer=57153&hl=en_US.

Sincerely,

The Google AdSense Team
-------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
[/blockquote]

and this was AFTER I informed them in ADVANCE that I would be trying to obtain a CTR in excess of 2000% !!!! and several email exchanges back and forth regarding the exploit !!!!

they have disabled my test ID as well as my personal adsense ID... isnt the google security team in conversation with the adsense team !!!!

all i can say now is WT-Fish !!! first nobody believes me.. and when i prove it... they kick me in my butt !!!

I'm sending them an email again demanding an explanation for the banning my personal ID for showing them how it workes.... if i was evil i cold have slipped this under the covers and made some serious moolah.

their slogan - "do no evil" - is just a freakin joke !!!

+ someone out here on this forum wanted evidence...is this evidence enough ?

PS: google has not fixed it.. they just banned me. WOW !!! I can still hit a 2000% ctr with any publisher id on the publishers own domain !! this is crazy !!!! remember when i can hit a 2000% CTR I can also hit any variable CTR... so.. a DB of proxies... variable headers, variable CTR's, variable referrers from varied sources would drive em nuts !!



Edited 2 time(s). Last edit at 04/23/2008 10:46AM by rohanpinto.

I have two comments to this. Firstly, it's not surprising that they consider you a risk, given that you are clicking on ads and those ads are paid for by others. Secondly, it doesn't surprise me at all that they would treat you like that. They are pretty terrible to security researchers in general. Welcome to the long list of security researchers who have been screwed by Google. You won't be the last.

Now the real question is will Google re-reimburse all those customers? Alas, I highly doubt it. And should that surprise anyone? I wish I could give you better news.

- RSnake
Gotta love it. http://ha.ckers.org

ok i'll extrapolate the backtalks for fun (but what's really horrible, my scenario is probably not so far from reality)

rohanpinto finds critical vuln in adsense (i always consider vulns that screw my clients like that critical. obviously google management does not), and like a good boy he is, PoC it, and report it to google, along with the fix.
a random analyst monkey receives the report, understand the problem, and pass it over to the operations security team, or whatever they have in house to (mis)manage the problems.
the opsec team acknoledges the report, translate it to management hot air, and go drink a beer.
management reads the third report, doesn't understand a word, and don't give a fuck. they see the (small) cost of the fix, and decide the risk/cost factor is too low. they send back orders to opsec team to ban rohanpinto, period, and go back to fucking whatever they can
opsec argues a little that it is *indeed* a bad vuln, management enters dummy mode, and yell things about techies not knowing a thing about risk management, and that banning rohanpinto is the adequate step. opsec bans rohanpinto, and go back drinking beer.

rohanpinto has ethically disclosed a vulnerability that could be leveraged to generate a steady income. kudos to him.
google has once more reacted like the lame bastards they are.

blackhats all over the world are now aware of this, and will start exploiting it for fun and profit (and if the RBN is involved, it would be much more profit than fun) screwing google and google's clients like a granny in the process

once more a lame ass will eruct something about full disclosure not being good.

full disclosure is not, and never been the problem. the problem is the vendor reaction (and yes, you little google management monkey over here, i *do* know about friggin' risk management. that's my fucking job) or what's more, lack of reaction.

rohanpinto 1 : google 0

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

@Maklav - no one ever said you needed to be smart to be in management.. and I think you've nailed it right in the head when you point out that management doesn't know sh!t from shinola when it comes to technical things.

Of course, from a management point of view (something I keep running into job after job), us techie types suck at management because management is not getting the job done, it's telling our superiors what great leaders they are. We're not paid to think, we're paid to do what our managers want us to do, even if it was something we were already doing, we need to do it in the order they want it done, or else we're incompetent stupid retard techies.

If I were rohanpinto, I would offer this story to CIO Magazine/Wired Magazine/The New York Times, etc., etc. along with some pretty graphics and charts showing how the customer is the one getting screwed because the Management Monkeys(tm) refuse to fix the problem which they do not even understand. After all, why not use advertising to reveal how advertisers are getting screwed?

I'm sure Management Monkey's bosses will care as soon as that stock price starts heading south...

But that's just my opinion..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

@malkav / thrill / rsnake - very very very well said. I get it now....

But I guess google forgot one thing. They did not completely understand the vulnerability. They thought that I could do it only with my id on my site. what they forgot was I could do it with any id on any site...

I'm gonna wait for a while.. and think this through. I "may" communicate with some folks here about what I should be doing... because the vulnerability still exists.. and I could get a lot of publishers into trouble by raising their own CTR to >= 2000% on their own domains.... (or be evil.. and sell an crypt verson of my bot to the blackhats out there...). or disclose this to the adwords advertisers....

I have sent several emails to google demanding an explanation for their actions.. and reminding them that all they did was ban me, and not fix the issue. I'm gonna wait for a while before doing or saying anything further.. I think no matter what their actions were.. they need time... to either.. unban me or fix it. whatever their choice is I am fine with it.. but they need to get back to me on this with some answer... (I will settle for beer too - just kidding...)

untill then my lips are sealed...

Quote

After all, why not use advertising to reveal how advertisers are getting screwed?

- I LOVE THAT LINE :-)



Edited 4 time(s). Last edit at 04/24/2008 03:08PM by rohanpinto.

thrill is utterly right. ensure media coverage with sidarckat. let's see if black PR is effective on google :)

oh yes, and buy adwords on "rented distributed services " (aka botnet) screwing adsense. just for fun.

you can't sell it to BH anymore. it's public boy :)

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

it's public as in.. it's possible..thats all... nothing more...

i don't get that rohanpinto performed any PoC, and maintain that he's a moron.. he ran a bot program to generate false clicks through proxies. whoop-de-fucking do. google won't pay it, it means nothing, and will get you instantly banned, as you experienced. turn your bots down to 2 CTR at unsteady intervals, and then you might generate more than $0. or get banned again. don't care.

@fragge - whatever.. :-)

I didn't want google to pay me for it.. I just wanted to show them that attaining a CTR >=2000% was possible...

the ban doesnt matter... the existence of the vulnerability still does.. :-)

http://www.news.com/Google-says-click-fraud-settlement-near/2100-1030_3-6047717.html

http://www.news.com/8301-10784_3-6047837-7.html

:-) - nice....

lets see what happens next.. I have posted a comment hyperlink to this post on a few adsenseblog posts... more folks would read this now....

lets just wait and see what happens next.. :-)



Edited 4 time(s). Last edit at 04/29/2008 11:08AM by rohanpinto.

mate I still don't understand how you consider this a vulnerability? what are google going to do to patch it? there is NO way to distinguish between different IPs sending different headers. The only thing they can do is check for an abundance of clicks in a short period, a repeating pattern, or an over-the-top CTR, which they *already do* - you're just performing click-fraud, which has been around for yeeaaars. it's not a vuln, and you shouldn't try and classify it as one - try and understand that.

@fragge - like I said before, I can keep the CTR as low as .001 or any variable, it's been around for years I agree, but has the ability to publish any ad on any site been around for that long ? and let someone show me how to attain a CTR ratio greater than 100% ... publishers have the ability to setup their adsense profile whereby their publisher id can be used on only their site.. well, i can give publishers a 2000% ctr with their own id on their own site... dont u see how it can be exploited ?

hit refresh as much as you want... it's 1 impression.. click on the ads as much as you want.. it's 1 click... so the max CTR you can attain is 100% right ;-)

it's been a week since this happened: so now uberBOT will get working : http://sla.ckers.org/forum/read.php?7,22089

when the premium publishers get a 2000% CTR, and catch googles attention, then they better do something about it....

bottom line: who looses... not google, it's the advertisers... so google does not really care... they will bill the advertisers for clicks and impressions... but will they payout ? nope.. what next.. the stock price soars...
Now, when the advertisers get robbed, they move to another platform altogether... google gets no money... revenue drops... stock price drops... will it ?i dont know.. i dont care...



Edited 2 time(s). Last edit at 04/29/2008 06:31PM by rohanpinto.

yes but the idea of DoSing a publishers ID via false clicks is an *old* idea, and has been employed for years. It's always been exploitable, and this isn't a bug. performing those false clicks on the publishers and creating a 2000% CTR will simply mean that the clicks will be disregarded if it is a big publisher - google treat bigger clients differently, and will protect their assets. Your clicks will most likely be filtered, the publisher won't be charged, the adsense ID won't get banned, and that's pretty much it.. but go for it, i'm all for experiments.. i just don't see this as new in any way. ;<

yep..lets see if it works.. would be an interesting experiment...

http://www.littlebigvoice.com/news1/click-fraud-at-16-3-per-cent-1234.html
The average click fraud of PPC networks such as Google Adsense and Yahoo Publisher Network was at 27.8% an increase from 21.9% from Q1 2007.

and they aint doing anything to stop it... nice... it would be interesting to see the 09 stats..



Edited 5 time(s). Last edit at 05/01/2008 10:17AM by rohanpinto.

Any updates on this?

If I were you I'd have used it for personal gains lol.

I'd like to see a PoC now it's been in the public domain for a while

I haven't heard anything about it, but from what I've seen, Google will still cancel accounts based on these metrics. Personal gains won't be applicable if they shut your account down prior to checks being placed in the mail. Other techniques regarding flying under the wire are preferable.

- RSnake
Gotta love it. http://ha.ckers.org

thanks for the helpful posts

i suck