Google has started injecting unlabeled ads into pages that look like an author created them. Can anyone get a reusable example so we can detect the tampering?
Conversation
Notices
-
Embed this notice
Peter Bhat Harkins (pushcx@ruby.social)'s status on Tuesday, 26-Nov-2024 12:51:43 JST 
Peter Bhat Harkins
- Paul Cantrell and anban repeated this.
-
Embed this notice
Peter Bhat Harkins (pushcx@ruby.social)'s status on Tuesday, 26-Nov-2024 12:51:42 JST
Peter Bhat Harkins
Google claims they are injecting ads live now, so I'd like to quickly turnaround a js snippet that sites can use to detect the tampering.
I'm strongly reminded of how a motivation for the big lift to HTTPS was slimy ISPs injecting ads into pages.
-
Embed this notice
Tim W RESISTS (tim@union.place)'s status on Tuesday, 03-Dec-2024 03:53:05 JST 
Tim W RESISTS
@pushcx @tasket can confirm repro, have been seeing it for a few days
-
Embed this notice
tsk (tasket@infosec.exchange)'s status on Tuesday, 03-Dec-2024 03:53:07 JST 
tsk
@pushcx Also, is the page content being uploaded to Google so they can decide what/where to inject? That is a potential spyware issue.
-
Embed this notice
Peter Bhat Harkins (pushcx@ruby.social)'s status on Tuesday, 03-Dec-2024 03:53:07 JST
Peter Bhat Harkins
@tasket That's a really good point, thank you. I've added it to the post.
-
Embed this notice
Tim W RESISTS (tim@union.place)'s status on Tuesday, 03-Dec-2024 04:15:09 JST
Tim W RESISTS
@pushcx @tasket both on the url you found from the example and all across random sites in the Google Search App over the past few days. Didn't realize what it was until I saw folks posting about it (so I guess it wasn't very effective with me).
-
Embed this notice
Peter Bhat Harkins (pushcx@ruby.social)'s status on Tuesday, 03-Dec-2024 04:15:10 JST
Peter Bhat Harkins
@tim Thanks for reaching out! On the page from their example? On your own site? On many sites? (Thanks for making this connection @tasket!)
-
Embed this notice
Tim W RESISTS (tim@union.place)'s status on Tuesday, 03-Dec-2024 04:31:33 JST
Tim W RESISTS
@pushcx @tasket examples from a random news feed article (suggested by the Google Search App of course). Article link: https://www.power-grid.com/energy-business/under-pressure-from-the-scc-dominion-reveals-the-true-cost-of-data-centers/
-
Embed this notice
Tim W RESISTS (tim@union.place)'s status on Tuesday, 03-Dec-2024 04:33:42 JST
Tim W RESISTS
@pushcx @tasket obligatory disclosure: I work for Google, I have no special knowledge of this feature (genuinely was confused by seeing it happening until I saw posts here about it!), all posts are my personal opinion.
My personal opinion: I hate it. This is going to rightfully piss people off and it really isn't that helpful.
-
Embed this notice
Tim W RESISTS (tim@union.place)'s status on Tuesday, 03-Dec-2024 04:57:19 JST
Tim W RESISTS
@pushcx if you get the JS it should be easy enough, I can trigger it on that page 😂
I'd be happy to poke around / help. I'm on a plane and unsure how well the wifi will work then driving home so I'm at least partially out of pocket for a few hours as well but reply and I'll do what I can.
-
Embed this notice
Peter Bhat Harkins (pushcx@ruby.social)'s status on Tuesday, 03-Dec-2024 04:57:21 JST
Peter Bhat Harkins
@tim I bet it's a slow rollout and you're in the 0.1% (or whatever) it's active for. I'm about to roll into a Twitch stream for Lobsters office hours, but is there a time we could pair on investigating? I'll put a debug script on my blog and you reload to share info. https://push.cx/google-ad-injection has my start at this.
-
Embed this notice
Tim W RESISTS (tim@union.place)'s status on Tuesday, 03-Dec-2024 05:00:17 JST
Tim W RESISTS
@pushcx also shows up later for "Google" and "AdWords"
All GNU social JP content and data are available under the