Today I was reminded about a vulnerability I had totally forgotten about when I read the Securiteam blog posting about using Google to attack websites. The idea is to create a malicious website that contains links attacking web applications and submit this to the Google spider. When the Google spider crawls the page it will also follow the links and voila Google has attacked the website for you.
This is however not really news because people are using similiar techniques for Page Rank fraud for a while now. The idea behind Page Rank fraud is to create URLs that use HTML injection vulnerabilities on high ranked sites to inject HTML links to your page and submit them to search engines.
Back to the vulnerability I had forgotten about: More than a year ago I discovered that there is another easy way to trick Google into visiting a certain URL, that has the big advantage that the request will happen in a short timeframe after Google is tricked. The crawler trick above has the disadvantage that it is not really possible to know when Google will visit the attack URLs. Additionally the trick I reported at the 10. July 2005 to Google, that resulted in no actions beside an initial acknowledgement e-mail, has another advantage: It is possible to trick a person visiting your site by using CSRF into performing the trick on Google, so that your IP doesn't show up in the Google logs.
So now the very simple trick. Google Adsense IFRAME's are placed on URLs similiar to this
Most probably because of the Referer problematic the IFRAME's URL contains the URL the ad is displayed on. And now you may guess 3 times what happens when the url variable points to an URL unknown to google.
Exactly... After a short while one of the Google Mediapartner crawlers will visit the URL to scan it.
Atleast this is still the behaviour while I am writing this blog entry... Noone knows how fast Google will react once this is public. While it was not public they didn't do anything about if for more than a year.