Owange By AdSense By Natas (natas@oldskoolphreak.com) From The Fall 2006 Issue Of 2600 Magazine For those who don't know, Google's AdSense program allows third-party web sites to run text or image ads that are relevant according to the type of content your web site offers. Essentially, Google just scans your site for keywords and then figures out which ads it will place on your site that are related to these keywords. Every day I'm seeing more and more web sites using Google AdSense to generate additional revenue. Lets take a quick look at the AdSense javascript code that users paste into their pages source code to actually generate the ads on the site. Of particular interest is the google_ad_client variable, "pub-8584931460707949'', which is this persons unique identifier that Google has assigned them. I'll explain how this can be useful in a moment. Now that you have a basic understanding as to what Google AdSense actually is, I'll quickly get into the main point of this article, which is how you can use Google AdSense to potentially "own" someone that's trying to remain anonymous, in most cases this will be the websites owner/webmaster. Google's AdSense program recently incorporated a new feature called "Onsite Advertiser Sign-up" which puts a text link that says "Advertise on this site" at the bottom right hand corner of text ads by Google. Lets take a look at an example URL of this "Advertise on this site" link: Example URL #1 https://adwords.google.com/select/OnsiteSignupLandingPage?client=ca-pu b-8584931460707949&referringUrl=http://camophone.com/&hl=en&gl=US Notice the google_ad_client variable "pub-8584931460707949'' in the URL. When a user clicks this link, they're brought to a Google AdWords page, with big text that says "Advertise on" followed by the name of the site or the name of the company. This information is being pulled from Google's database that contains the information that the user entered during the initial AdSense sign up process and the google_ad_client variable is used to do this. While the referring URL is also in there, it's basically worthless and you can modify it to read anything you like, and it wouldn't have any effect on the information that's shown on the Onsite Sign-Up page. This is great, as the only thing you need to craft your own queries is the google_ad_client variable, which is something I'll also get to in a moment. One of the great advantages of the Google AdSense program policy is that once you have an account, Google allows you to place their AdSense ads on multiple web sites that you own. This was done so that you don't need to sign up for three different AdSense accounts, if you have three different web sites that you want to place ads on. But what if you initially signed up for an account for your businesses web site, and then decided to launch a few personal web sites, or vice versa? Other than the Whois information, how would a visitor be able to tell that these web sites are owned or operated by the same entity? Well, when Google launched their "Onsite Advertiser Sign-up" feature, existing AdSense accounts were automatically opted in to this program, and account information provided to Google upon signing up for the AdSense program was reused for this new feature. If you want to have this information changed or opt out of the program, then you have to log in to your AdSense account and dig around for the option. How many advertisers actually logged in and changed their info round or opted out of the program? Not that many so far. Once again a default setting is potentially exposing information that some would rather keep private. So what's the point of all this information? How can this information be applied in a real world situation to expose some bit of information that you usually wouldn't be able to find? I'll give you a great example. For a long time I've been wondering who owned the Caller ID spoofing site, Camophone.com. Well I remembered that Camophone placed a Google AdSense ad at the top of their web page. So when I surfed over to their website and noticed the "Advertise on this site" link for the first time, I got excited. Clicking on the ad directed me to the AdSense page with the text "Advertise on TxLink." TxLink happens to be a Voice over IP provider that I had looked at in the not so distant past, when I was looking around for different providers to try out with my Asterisk PBX. The owners of Camophone had remained anonymous, always speaking on conditions of anonymity in newspaper articles and on their old forums, up until this little AdSense trick exposed the roots behind the company. Well what if a user did actually log in to their account and opt-out of the "Onsite Advertiser Sign-Up" program and the `Advertise on this site" link doesn't appear on any of the Google AdSense ads? This is where the google_ad_client variable comes in handy! By viewing the source of the web page, you should be able to find the google_ad_client variable and the unique identifier string. By replacing the variable in the original example URL #1 I displayed earlier, with the one you find in the source of the web page, you should still be brought to the Onsite Sign-Up page and be shown the name of the site or the name of the company! Also, If the google_ad_client variable is not found in the page source for some reason there's still another way to get it! By right clicking on the underlined title of a displayed Google AdSense ad and copying and pasting the link URL you'll find the google_ad_client variable at the end of the string. Here's an example from a SecurityFocus.com Google AdSense ad: http://pagead2.googlesyndication.com/pagead/iclk?sa=l&ai=B6KjpSkdtRP72G462ep_jpIIB_OXmFPCurPIBwI23AaDxtQEQAxgDIKvl9QEoA0iXOVCo9evG_f____8BmAG6jwaqAQoxMDgzMjUwMjkzsgEVd3d3LnNlY3VyaXR5Zm9jdXMuY29tugEJNzI4eDkwX2FzyAEB2gE7aHR0cDovL3d3dy5zZWN1cml0eWZvY3VzLmNvbS9hcmNoaXZlLzEvNDM0MzI5LzMwLzAvdGhyZWFkZWSVAg6KHgo&num=3&adurl=http://www.mgilists.com/&client=ca-pub-4413949713007625 The google_ad_client variable in this example is "pub-4413949713007625''. Now that you have the google_ad_client variable, you can form the following URL. https://adwords.google.com/select/OnsiteSignupLandingPage?client=ca-pu b-4413949713007625&referringUrl=http://example.com/&hl=en&gl=US With this example I provided, the main text on the page reads "Advertise on Symantec Corporation" because Symantec owns SecurityFocus.com and the Google AdSense account used on the site. In closing, there's no telling how many other web sites this could come in handy with, now that almost every website is jumping on the Google AdSense bandwagon these days!