Google AdSense For Mobile Security Vulnerability

Google launched their AdSense for Mobile to the public recently. The implementation of the AdSense Mobile code in PHP looks something like this:

< ?php
$GLOBALS['google']['ad_type']='text';
$GLOBALS['google']['channel']='';
$GLOBALS['google']['client']='pub-00000000000000;
$GLOBALS['google']['format']='mobile_single';
$GLOBALS['google']['https']=$_SERVER['HTTPS'];
$GLOBALS['google']['host']=$_SERVER['HTTP_HOST'];
$GLOBALS['google']['ip']=$_SERVER['REMOTE_ADDR'];
$GLOBALS['google']['markup']='xhtml';
$GLOBALS['google']['output']='xhtml';
$GLOBALS['google']['ref']=$_SERVER['HTTP_REFERER'];
$GLOBALS['google']['url']=$_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
$GLOBALS['google']['useragent']=$_SERVER['HTTP_USER_AGENT'];

require(‘http://pagead2.googlesyndication.com/pagead/show_ads.php’);
?>

As you can see, this is a server side include that executes a remote php script on a Google servers. This differs from regular AdSense code (which is simple javascript that dynamically generates iframes client side) because mobile browsers generally don’t handle javascript.

In general, there’s usually no issue with this except for adding a small amount of processing and latency per request on the publisher’s side. However, there’s a problem with their PHP implementation. If a hacker were ever to trick the requesting server into thinking pagead2.googlesyndication.com was actually say hacker.com then the foreign php script can be remotely executed. (See DNS Cache Poisoning.)

At this point, it’s a free-for-all. Once I can execute php code on your server, all bets are off. Hopefully, Google will change their implementation to be similar to the other site install code they offer in the other languages.

|