There’s something really fishy going on with Adobe’s “I ♥ Apple” Ad campaign. You might have noticed it yesterday as you were browsing websites such as TechCrunch and Google Reader. Basically, somehow Adobe got around Google’s “no popups” ad policy for Adsense and for those on Macs and for some reason Opera web browsers. For users visiting sites with a specific Adsense ad image installed, Adobe was displaying an ad that said “I ♥ Apple”, trying to convince users of Apple operating systems that Apple was in the wrong. The ad was then causing a popup window on the page – I couldn’t open TechCrunch without a popup appearing, and I know TechCrunch didn’t put it there.
Aside from the existing issues of how effective such a campaign is already, what is really baffling is how Adobe was using their own Flash to get around Adsense’s security measures preventing popups. Jimminy Fuller investigated this last night, and gave me this explanation:
Since the ad was being handled by Google Adsense, this shouldn’t have been happening. It’s forbidden under the Adsense TOS, so I went to see if this pop-up was actually occurring. I couldn’t recreate the issue though for one reason: the ads were selective.
Selective ads? First thing that popped into my head was that they were performing a User-Agent check, a hunch that proved fruitful, later on. I ended up rooting around and finally was able to find some rendered code for the ad, at which point I went digging into the source to see if I could find the User-Agent check. I found that pretty quickly and noticed a little quirk where they were also messing with Opera users, I
assume because Opera also recently turned a cold shoulder to Adobe’s Flash platform.
That’s the very basic analysis of what this ad was doing, but it means that either Google allowed them to do this, or that Adobe basically ignored Google’s rules, and managed to manipulate the ad System to relay this message, I assume the latter. This is quite disturbing, however, because if Adobe, without Google’s consent, can manipulate the ad code, in such a way, it means that there is a possibility for it to be used as an exploit vector. Google has since pulled the ad, it had about a 10 hour stint, but I wonder if we’ll hear anything from any of the parties involved, particularly Google or Adobe.
You can read more details of Jimminy’s evaluation here on his blog.
Adobe brought up this popup when you visited certain websites like Google Reader
What Jimminy found is quite disturbing. As he said, the fact that Adobe was able to get around the popups rule either means Google had a specific relationship for this partner, in which they were willing to make an exception to the popup rule, or Adobe Pwn’d perhaps the only viable potential partner they have in the battle to come, revealing even a greater hole in Google’s code allowing other parties to potentially exploit any website with Adsense installed.