Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wow it seems trivial to trick Google's bots with these links. Have the page redirect until ad is approved, profit?

I'm sure it's easy to find their bot IP's too. Just make a bunch of terrible ads that nobody will click and see who visits the url.

Google needs to abolish this link policy, I don't see how it's enforceable



This is called "cloaking", and it's a cat and mouse game between ad networks and bad actors. You're describing the simplest thing that can be done to cloak a website from an automated checker, but there's far more advanced techniques as well.


> Have the page redirect until ad is approved, profit?

Wouldn't work - they do periodic checks after approval. Something more sophisticated appears to be going on here.

>Google needs to abolish this link policy, I don't see how it's enforceable

Link analytics and link trackers are perfectly legitimate. There are many situations in which it is necessary or desirable to go via intermediate urls before the final destination. Throwing out the baby with the bathwater definitely isn't the answer here.


> Wouldn't work - they do periodic checks after approval. Something more sophisticated appears to be going on here.

What if you randomly redirect, say, 95% of clicks to eBay and take the remaining 5% to your phishing site? Each of Google's periodic checks would only have a 5% chance of catching you, but if you can get enough impressions over eBay's legitimate ads (which is an entirely separate facet to all of this), you'd still get a ton of bites, because so many people get to eBay the way Aunt Sue does.

Better yet, your redirect service could look at the client IP address and only redirect to the phishing site if it matches a known range for, say, Comcast or Charter. Or use it to drill down even farther and set up multiple spear phishing campaigns.

It seems like there's no shortage of ways to abuse this, and for Google to allow redirects without some sort of robust verification that the advertiser owns the destination domain (such as @gnud's certificate-based suggestion in a sibling comment) seems downright negligent, if that is indeed how they operate.


Perhaps letting the ad people have a free-for-all with tech is a bad idea. I feel like intermediate URLs should never be OK


There's other ways to signal ad impressions that aren't a huge security risk. Maybe not quite as convenient, but I doubt banning redirects would have a measurable effect as long as Google gave a deprecation warning.

You can achieve the same thing without redirects using URL parameters or the referer field. Google should ban any destination that doesn't match the sites domain. It's an unfixable security risk that's being actively exploited




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: