Google AdSense Code Vulnerability
If you’re a publisher who uses Google AdSense to monetize your site, you may notice how easy it is to paste in your AdSense code onto your webpage’s code. These few lines of javascript then lets Google “sense” the content of the page the code is in, and publish the relevant and applicable ads according to context.
However, what you won’t notice at first is how insecure this is. Your AdSense code is up there for anyone to see as soon as a reader uses his browser’s View Source functionality. And the most important part of this code is your publisher ID.
In theory, anyone who can see this code can just paste in your own AdSense code into their own sites and do all sorts of malicious stuff with your account. For one, they can simulate clickfraud by loading up their page with your ads in it, and keep on clicking the ads. You might end up being suspended or banned from AdSense because of this. Even if you can contest the suspension, the few days or weeks’ time without AdSense might hit you hard in terms of lost revenue.
A malicious user can also paste your ad code on a website in violation of the AdSense terms of service, such as on an adult site or a site that distributes pirated content.
Google has not yet enforced measures to protect legitimate publishers against possible defrauding through these ways. Some good methods we think worth considering are banning based on URLs and not AdSense publisher ID, and even hiding the publisher ID itself from being public viewable.
For now, it pays to be vigilant in monitoring your ad performance and behavior. If you think you’re getting too much, or if you find other sites using your publisher ID (you can do a Google search for that line of text), then it’s time to get in touch with the Google AdSense team for help.
Don't miss another post! Subscribe by RSS feed or by email today!
Share this post! 8 comments, add yours!
[…] Over at Google Tutor there’s a great column about why you should watch out for your Google Adsense ID, which might be being used for evil. […]
i think it is best to just hide the publisher id from the public ….
influence,
you are not allowed to change the code at all, it has to be there.
After reading your article, I’ve started to worry now. Has Google come up with an innovative way to identify publisher id theft?
I am new to the website business, but I bought a site recently and the seller has asked me to get adsense ID, click bank ID, ebay custom ID and Amazon ID and send it for him to add on the site. Is this safe?
b sealey
should be if that’s all you provide, those ids are easily found in the code for those ads on each site that runs them, they are not private
I’ve just paid hosting for a web site and the site itself is currently being build. But at some point in time when the site is finished, I am required to send my Adsense PID to them. Supposedly I am to be handed my site completely finished- including adsense ads on it.
I am just so afraid that my PID may be used wrongfully. Is it possible for someone to alter your PID code and use it to benefit themselves?
For example I have 3 small blogs currently running adsense ads. This time I actually paid supposedly experts, for hosting and developing my site.
Would it be possible for them to alter my PID code- by changing it and implementing it with their own, And then even my current blogs would be actually making money for them instead of me?
Just curios….
Alfred,
Yes, it is possible for them to simply leave their PID in the code, or code it so that sometimes it is your PID sometimes theirs. If you are concered about that check your source code for your PID, then reload and view source again, and again, etc until you are sure it doesn’t change.