Click addict

Many of you familiar with ad serving programs like adsense and it’s not a secret how it works (in general) - ads block automatically shows relevant ads for the page user is surfing. In order to know what ads are relevant to the page’s content, google “Mediapartners” bot needs to fetch the page, and “fetching” here means sending a GET HTTP request to it. So when users visits page that is not in adsense cache (and “visits” here again means sending GET HTTP request), mediaparners bot receives command to fetch this new page. Now lets leave the user with his browser alone and lets see what really happens. The situation is that anybody can send GET HTTP request to google to make google bot to send arbitrary GET HTTP request anywhere he wants, using google bot as a proxy. The magic url looks like that (copy link location to see), where url parameter have to be url-encoded address, but to make things more fun I’ve created small javascript form that allows you to send zombie with a click of a button.

Notes:

• Mediapartners google bot is not indexing google bot (though they share content cache, also here), so if you are thinking about fast-indexing your pages, this will not work.
• If page is already in adsense cache, this will not work (you can try non-existent pages).
• Note that this proof of concept code is supplied for educational purposes only.