Adobe and Google Sitting in a Tree? Or Did Adobe Just Pwn Google?

There’s something really fishy going on with Adobe’s “I ♥ Apple” Ad campaign.  You might have noticed it yesterday as you were browsing websites such as TechCrunch and Google Reader.  Basically, somehow Adobe got around Google’s “no popups” ad policy for Adsense and for those on Macs and for some reason Opera web browsers.  For users visiting sites with a specific Adsense ad image installed, Adobe was displaying an ad that said “I ♥ Apple”, trying to convince users of Apple operating systems that Apple was in the wrong.  The ad was then causing a popup window on the page – I couldn’t open TechCrunch without a popup appearing, and I know TechCrunch didn’t put it there.

Aside from the existing issues of how effective such a campaign is already, what is really baffling is how Adobe was using their own Flash to get around Adsense’s security measures preventing popups.  Jimminy Fuller investigated this last night, and gave me this explanation:

Since the ad was being handled by Google Adsense, this shouldn’t have been happening.  It’s forbidden under the Adsense TOS, so I went to see if this pop-up was actually occurring.   I couldn’t recreate the issue though for one reason: the ads were selective.

Selective ads? First thing that popped into my head was that they were performing a User-Agent check, a hunch that proved fruitful, later on. I ended up rooting around and finally was able to find some rendered code for the ad, at which point I went digging into the source to see if I could find the User-Agent check.  I found that pretty quickly and noticed a little quirk where they were also messing with Opera users, I
assume because Opera also recently turned a cold shoulder to Adobe’s Flash platform.

So I spent a little time analyzing what was going on in the ad besides just the selective pop up, but couldn’t come up with anything determinate as to how they were getting the set of scripts embedded into their ad. What I did find out while analyzing their ad, was that they were using primarily javascript (ironically), lots of it, which did all the preemptive work in analyzing what your browser and OS, were, as well as if you had Flash 8, or higher, installed.  If they were able to match the User-Agent, to either a Mac or Opera, and you had Flash installed, they would force a window open that held a Flash element, otherwise the ad was only activated if you clicked upon it.

That’s the very basic analysis of what this ad was doing, but it means that either Google allowed them to do this, or that Adobe basically ignored Google’s rules, and managed to manipulate the ad System to relay this message, I assume the latter. This is quite disturbing, however, because if Adobe, without Google’s consent, can manipulate the ad code, in such a way, it means that there is a possibility for it to be used as an exploit vector. Google has since pulled the ad, it had about a 10 hour stint, but I wonder if we’ll hear anything from any of the parties involved, particularly Google or Adobe.

You can read more details of Jimminy’s evaluation here on his blog.

adobe popup

Adobe brought up this popup when you visited certain websites like Google Reader

What Jimminy found is quite disturbing.  As he said, the fact that Adobe was able to get around the popups rule either means Google had a specific relationship for this partner, in which they were willing to make an exception to the popup rule, or Adobe Pwn’d perhaps the only viable potential partner they have in the battle to come, revealing even a greater hole in Google’s code allowing other parties to potentially exploit any website with Adsense installed.

Adobe certainly has its own issues, and rightly so, but exposing flaws in Google’s ad code and taking advantage of perhaps your greatest partner isn’t the best way to fix those issues.  I really hope we hear from Adobe or Google on why these Popups were allowed.  We talk about Facebook and privacy, but if Adobe can get around Google’s safeguards, and deploy specific Javascript commands on any website that deploys Adsense, I think Google may be the one with issues here and I hope this gets fixed.

Advertisements

22 thoughts on “Adobe and Google Sitting in a Tree? Or Did Adobe Just Pwn Google?

  1. Hi, did you see some type of popup window when visiting some site?

    If so, which site (TechCrunch, Google Reader, other) and which page? Which browser, with which popup controls? Which content did it show in the new window?

    (I skimmed through Jesse's piece but he jumped into trying to de-obfuscate Google Reader's JavaScript, and there are other great demands on reading time now.)

    For what it's worth, this project was done with a rather rapid turnaround, and I'd be surprised if there was bandwidth to innovate new ways of disrupting popup disruptors within it….

    tx, jd/adobe

    Like

  2. John, Jimminy explained the browsers and process pretty well, I think, but
    for me it happened on Google Reader and TechCrunch in Safari. I have popups
    enabled. Jimminy said it was also happening on both Windows and Mac in
    Opera. Others on Twitter were saying they had seen it multiple places as
    well.

    Like

  3. Windows and Chrome here, and still got the popup. Using Google Buzz at the time, someone had shared something through reader.

    Like

  4. I'd hope, for Adobe's sake that they were given permission by Google. If they got around Google's code, Google would not be happy about it, at all.

    But as far as I think, Google gave them the go ahead for this.

    Like

  5. JD, How goes?

    Anyway, I got the pop-ups on Google Reader and TechCrunch on my iMac with Safari. I was very surprised, first time I have ever gotten pop-up ads with either of those sites.

    I am sure Adobe didn't hack anything, a campaign like this is usually bought and managed through an agency, but it was an odd and non-standard experience.

    -David (used to work with you at Macromedia and Adobe) (Still loves Flash 😉

    Like

  6. Even if it was bought it's disturbing to know Google is allowing this. Has
    Google allowed popups on any of their other ads in the past? I hope this
    doesn't become a trend.

    Like

  7. Hi Jesse, thanks for the word, sorry for my initial confusion and delay of follow-up.

    I'm not sure of Google's ad-serving policies, particularly about opening new windows. I usually run Firefox with “Block Popup Windows”, and every now and then I see an ad sneak through, but I didn't run across this Adobe set myself.

    Are you running a popup blocker in your browser… is it that this ad evaded normal clientside blocking, or is it more like it was unexpected on a particular site?

    Sorry I don't have firmer info here, but I'm forwarding your report inside Adobe… would be good to clear it up, thanks.

    jd/adobe

    (PS: David, hi, but uhm I've worked with a few people named David…? 😉

    Like

  8. With the Opera test, I was able to do, it was blocked by the blocker, which I expanded, because I already knew what it was, so nothing nefarious as to finding a way to evade the clientside blocking.

    I also apologize about the lack of firmer or more evidence. The data collection window was pretty short.

    Like

  9. Wheels within wheels… I've been developing in Flex recently, and attended several of the free Adobe webinars during their recent developer week – I was struck by the irony that *all* of the presenters, many of them high profile folks in the Flex world, were using Macs. This must create tension between the two companies. They serve and feed from the same dish.

    Great sleuthing, btw 🙂

    Like

  10. I had someone comment on my post, that this functionality, is available when creating a DoubleClick Rich Media Ad.

    If what he says it true, I'm deeply disturbed that Google, who hates pop-ups, would allow one of their subsidiaries to allow such things.

    Like

  11. Looks to me like Adobe is tightening their own noose. Are these the outward signs of Flash in the throes of death? Strange. It doesn't seem like a very smart move. Way to gain popularity!! Not.

    Like

  12. With the Opera test, I was able to do, it was blocked by the blocker, which I expanded, because I already knew what it was, so nothing nefarious as to finding a way to evade the clientside blocking.

    I also apologize about the lack of firmer or more evidence. The data collection window was pretty short.

    Like

  13. JD, How goes?

    Anyway, I got the pop-ups on Google Reader and TechCrunch on my iMac with Safari. I was very surprised, first time I have ever gotten pop-up ads with either of those sites.

    I am sure Adobe didn't hack anything, a campaign like this is usually bought and managed through an agency, but it was an odd and non-standard experience.

    -David (used to work with you at Macromedia and Adobe) (Still loves Flash 😉

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s