Google Adsense CSRF hole

Back to articles

hackvertor

Author:

Gareth Heyes

@hackvertor

Published: Thu, 27 Sep 2007 08:55:40 GMT

Updated: Sat, 22 Mar 2025 15:38:05 GMT

It doesn't seem like you're a web security researcher these days unless you find a security hole in Google. So I had 5 minutes spare whilst drinking my brew to find a hole in Google Adsense. I've reported the problem to Google and I won't release the specific details but if you're creative you might be able to find the poc.

Google Adsense has no CSRF protection in certain areas, it is possible for a remote attacker to do all sorts of nasty stuff like change the address details of your adsense account. I've tested it on my own account and I successfully appended "Test" on my address.

The poc will automatically log you onto your account and browse the Adsense site "as you" before finally posting an update to your address.

Prevention

In order to protect against this sort of stuff I have posted a couple of demos and articles to help with the process, check them out here:-

CSRF Protection part 1 CSRF Protection part 2

Back to articles