> [Google is a] company that also distributes spyware, because they don't check what their ad customers are doing very well and let them run random JavaScript on random web pages.
Is this true? While it's absolutely the case that websites have very little control over what ad content is displayed (see, for instance, the work of https://checkmyads.org/), I don't think I've ever seen evidence that ad publishers, or anyone in that massive ecosystem, can inject arbitrary code, running in the browser's context, into websites who monetize through Google AdSense script tags alone.
Of course, Google touches other parts of the pipeline, and I'm sure that in their trillions of transactions, they have unknowingly participated in or facilitated transactions that route/suggest malicious ads to other AdSense-like ad-embedding or tracking solutions that might have RCE vulnerabilities. But it seems a bit of a stretch to call this "distributing spyware," any more so that it is to call a customs official who misses an illegal package a smuggler.
Pretty sure that is a reference to DoubleClick, which Google bought, who has a pretty long history of allowing their network to be used to distribute malware.
The basic summary as I remember it is:
Website A has a deal to show DoubleClick ads.
DoubleClick can choose to directly show an ad from their network, or sell the spot to another smaller ad network.
There may be multiple layers of reselling here.
Someone signs up to some tiny ad network that is just happy to get customers and don't care too much about vetting.
That someone probably uses a stolen CC to buy ad space, and because you can inject JavaScript as part of your ad, this person injects some malware.
There was a bunch of pretty high-profile cases of this happening on major websites (NY Times and Wired, iirc). Some were done using flash, back when that was a thing.
Every ad these days is 'spyware', despite the ineffectiveness of "personalized adverts".
I worked for an SSP, and always loved the data we got back from DMPs categorising the same user into "segments".
Sometimes they were a man, until five impressions later they weren't, the guesses at age varied significantly also.
That said, none of those DMPs were Google. I believe that they'd actually be able to correctly segment you, because, well, it's Google, one of the companies putting the brightest minds of our generation to work on the problem of optimising CTR.
The idea that a family, a household, or even just roommates, with no gmail, no login to much of anything, might all use the same computer, or even share a tablet? Well, that must give people at google a conniption fit.
They can distinguish you based on some fingerprinting and, most importantly, browsing behavior. That's what FLoC was about - with enough data, you don't need third party cookies to recognise a user.
> I don't think I've ever seen evidence that ad publishers, or anyone in that massive ecosystem, can inject arbitrary code, running in the browser's context, into websites who monetize through Google AdSense script tags alone.
I've personally witnessed it three times over the years because it usually ends with all users of the targeted sites being pushed to malware sites. Yes, it's happening via Adsense, and usually takes 1-3 days to stop. See also this article, that was one of the waves I dealt with: https://www.seroundtable.com/google-adsense-hijacking-19709....
I wouldn't swear on it, but I believe another wave was a few years later, 2018-ish. Not sure if Flash was still a thing back then, but Google has been allowing JS to run in ads as well (as far as I remember, at least in some formats), and someone bypassing their automated checks isn't unheard of.
Stealing one of patio11’s ideas, there is a whole bucket of internet points waiting for the person who can carefully document Google’s history of allowing arbitrary JavaScript injection. Two people mention examples below, but they reference DoubleClick (acquired by Google in 2008), and a 2015 incident.
Is this still possible? What measured does Google take to limit what advertisers can do?
P.S. in addition to internet points, you’d also be providing important information for anyone who cares about privacy and security. But I’m a little cynical, so did you hear about the Internet points?
> I've ever seen evidence that ad publishers, or anyone in that massive ecosystem, can inject arbitrary code, running in the browser's context, into websites who monetize through Google AdSense script tags alone.
It depends on what types of ads you allow. Sourcing a javascript from Google is always at risk of whatever Google wants to run, but some ad types include advertiser javascript in the creative [1]. There's controls in place to reduce the chance of malicious code, but that doesn't eliminate it. (Plus or minus when they serve ads from other exchanges, as others noted)
Most malware I see distributed in the wild comes from Google Ads. Often because the advertiser buys the top spot for "OBS download" so their malicious download is listed above the actual legitimate website for OBS.
MapQuest is my favorite one for malicious Google Ads, because it basically targets seniors. (This is a double whammy for Goigle distributing malware because these are usually pushing malicious browser extensions served by the Chrome Web Store.)
Google allegedly delists these when it finds them (usually after a ton of people have lost their crypto or whatever), but it keeps their profits from doing it.
This is garbage, but it’s unambiguously different from the current accusation (that if you have Google ads in your website, someone might inject arbitrary JS into your website).
> [Google is a] company that also distributes spyware, because they don't check what their ad customers are doing very well and let them run random JavaScript on random web pages.
Is this true? While it's absolutely the case that websites have very little control over what ad content is displayed (see, for instance, the work of https://checkmyads.org/), I don't think I've ever seen evidence that ad publishers, or anyone in that massive ecosystem, can inject arbitrary code, running in the browser's context, into websites who monetize through Google AdSense script tags alone.
Of course, Google touches other parts of the pipeline, and I'm sure that in their trillions of transactions, they have unknowingly participated in or facilitated transactions that route/suggest malicious ads to other AdSense-like ad-embedding or tracking solutions that might have RCE vulnerabilities. But it seems a bit of a stretch to call this "distributing spyware," any more so that it is to call a customs official who misses an illegal package a smuggler.