Google Blogoscoped

Thursday, May 3, 2007

Google Video Ad Mockups with XSS Potential

Google had several video ad demo pages which looked like non-Google sites, except for their domain. The pages aren’t new, but I’ve been told these pages started to rank well in some search results (e.g. in a search for paintball news feed). What’s noteworthy was that some of these page included the full original template of the page they were mocking up – including references to JavaScripts hosted on other servers (like on the [source] or Car Connection pages)! As these JavaScript files might change their behavior anytime they might also be usable for cross-site scripting – which can allow partial take-over of your Google account – so either the mock-ups had been set up by a Google engineer unaware of cross-site scripting issues, or Google is putting a lot of trust into their partner servers like (and everyone who works with them). And not just the partner servers, because additionally, some of these pages included JS files hosted on servers outside of the mocked-up domain (the mock-up included a link to a JS hosted on

After I alerted Google Security ( of this issue last week they fixed it within a couple of days – all video ad mockups have now been removed, and the page reads “Our apologies, but the demos are currently unavailable. Please check back at a later time.”

[Thanks Caleb Schmidt!]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!