I don’t see the image in comments.
Could some body explain^ may be this bug already fixed everywhere or what I’m making wrong?

———-
Thank’s beforehand!

But I would still be surprised if it didn’t raise a flag somewhere at Google when some code starts getting used on a new site.

Obviously nonces don’t help much when XSS is involved, as we can fetch the nonce from the page and then append the appropriate data. In fact, who cares, most affiliate programmes dont support this and adsense data can be replayed successfully, I have tested this. Whats more, part of ad-jacking is adding our own content including nonces (if any) into a page, effectively ad-jacking it.

One thing which Google does is tie the Adsense code to a specific domain, so you’d have to either sign up with a different account for every site, or create an iframe to your domain, and have the ad serving code there, so that its rendered on your domain.

But to answer your question; yes it does matter if the ad company is using nonces, because unless we know those nonces we can’t simulate user clicks, and can only either hijack clicks (by placing the iframe under the cursor), or by serving the ads and getting CPM money.

Kuza55: well this is exactly the kind of thing I’m currently researching. Let me try answer your questions with a question:
If we have XSS on the current ad serving page do we really care if they are using nonces?

Your comment seems to be driven toward XSSing the Ad Servers.. I am referring more toward an attacker using the XSS vector to spread his/her ad network (i.e. Persistent XSS in forum, reflected XSS in search engine etc)

And if you *are* talking about XSS holes in ad serving domains, well, I don’t think that you’re going to find any on an ad serving company of any size, with semi-decent web server configurations.