Large corporations move very slowly while someone in a position of authority makes a decision.

Also AWA is away until July 6.

I wouldn't want you to expose the flaw publicly but it would be interesting to know the consequences or results of misuse of the flaw if you could do so without revealing anything.

Hey Tropical

Well, in my limited testing, I was able to bill one of my adwords accounts for traffic that I sent to a competitor's site (to test if they could do it to me). Scary stuff.

V

You mean you clicked on an ad that you set up to send traffic to a competitor? and the cost of the click shows up in your account.

Isn't that the way Adwords works?

Ska

Well, in my limited testing, I was able to bill one of my adwords accounts for traffic that I sent to a competitor's site (to test if they could do it to me). Scary stuff.

I don't quite understand this. Are you saying your competitors can do likewise (without your password)? I mean send traffic to their own site and bill you?

I don't see any connections, here?

"(to test if they could do it to me)"

Means he feels they could do the same to him.

It sounds to me like you're sending traffic to your competitors that you are paying for.

Am I missing something?

Ska

My guess would be if there is some sort of identifier in the link than it would be possible to modify any link such a way that whosever ID is in the link gets billed. The site and keywords would be irrelevant. The keyword simply triggers the ad and the URL is where the visitor is sent. You can't bill the website - for instance I have to different URLs for one AdWords account.
In my understanding this is how AdWords works
the keyphrase is entered - database processes the request and diplayes relevant ad. The ad is clicked - the visitor is sent to a site and the advirtiser is billed.
I guess what VinyL is saying that that billing identifier is external and part of the link that, if you modified it, you would not be billed.
It's also safe to assume that this billing identifier (I should rather call it account ID) is a constant value - so you could take different ads by the same advertiser, analyze the link and see what part is always the same - that would be the billing ID.

That's all my thinking, of course, based on the info posted here. Wild speculation, some would say.

It sounds to me like you're sending traffic to your competitors that you are paying for.

Just turn that around 180º.

Gotcha!;oP

This could be a little worrying now I get whats going on. If this is true I would certainly like to see what G has to say about it.

Ska

Since I was going over this thread at 7 AM I have been thinking about it and the reason AdWords has not reacted.

If true then it may mean a change in the fundamental programming of the AdWords system. This is not something that will happen overnight and will need top people at Google to be involved. This may be the reason for the delay in the reaction.

On the other hand it may be that they do not see it as the "big problem" that we do and have other systems in place to prevent it happening.

VinnyL has said that he was able to accomplish this by charging his own account. This is a BIG problem if the method gets in the wrong hands and G doesn't react accordingly.

I'm going to ping this to someone in Google HQ to also take a look at, as it seems this could be very damaging to all concerned.

However it is 4th of July, so not sure what sort of reaction is forthcoming.

Shak

As an update, I've pinged the team to whom I forwarded your info - and am told that they'll contact your rep shortly.

Two weeks and "the team" haven't contacted his rep?

Either the issue is serious and they are working urgently on it (in which case the team would have contacted his rep to reassure him the loophole will be blocked soon), or the matter is not serious and we can be told what it is.

I have been very unsatisfied with Google's research on multiple occasions.

The problem I experience with Google is that at the end of every month since January (except February) a client of mine see's conversion drop by more than 50%. It's like clockwork when this happens each month and the first day of the new month conversion shoot right back up and continue to be very consistent again until the last 5 days of each month.

On Yahoo and MSN, conversions DO NOT fall off. So this issue is unique to Google and they have failed to offer any intelligent reasons as to why this may happen. To me, it seems as if it must be a search partner issue. Something must be changing, at least in this one B2C industry, on Google at the end of each month. I don't change my bids, rankings do not change at all...again all signs point to something on their end, because none of our other CPC campaigns experience this...which rules out a website or tracking issue.

Bottom line I just pause the Google account the last week of each month to protect myself from the drop in conversion. I thought that would ignite Google to properly investigate this, but it did not. They'd rather pass up the revenue from my clicks than let me know what the 'true' cause to all of this is.

Anyway...just a story of how I don't think much of their research and investigation team.

Hey Guys

My rep did contact me, and basically said that they cannot confirm or deny the existence of the flaw for policy and security reaons but they will look into it and if needs be, they will fix it.

I'd practically given up until ToddB mailed me for an update...

I'd rather not discuss any further details about it in an open forum, for obvious reasons, and including validating or invalidating any respective conjecture from the other forum posters.

Even if they do fix it, I doubt that I'll get any recognition from them that I pointed it out.

If this were the movies, I'd get a free first class flight to Googleplex, 5 star accomodation and a full debrief session 2 weeks ago at $2500 an hour...

But this ain't the movies! :-)

Yeah I personally feel very underappreciated by Google and Yahoo when I inform them of 'bugs' and other problems with their system. Do I expect them to send formal letter of gratitude? No. Should they be more thankful when I (and others') alert them of issues affecting customers? Yes.

At least they are on it. sort of.

they cannot confirm or deny the existence of the flaw for policy and security reaons but they will look into it and if needs be, they will fix it.

Todd, that sounds like standard corporate speak for: "Now, go away".

They may do something, they may not do something but they don't want you to know either way.

Shak, I look forward to what your contacts have to say.

Whenever a company cannot confirm or deny something there is information they are withholding. Most of the time thi s means a company is putting together an official statement to be released, but clearly here Google is saying 'Go away', 'forget about it', 'you're wasting your time'.

AWA, we appreciate that saying the problem has been resolved is an admission that there was a problem. We are not looking for any admissions or apologies. We just want to know that if there was a loophole (potentially) causing us to lose money it has been fixed. Surely you can give that reassurance without making any admissions? If you can't give that assurance as you're on holiday why can't his rep give him that assurance?

Look, Google is not going to admit that there were problems even if you find them. When you report an error they will say thanks for bringing this to our attention, we will investigate this. They will likely replicate the error or bug, fix it, and that's that. They aren't going to get back with you and discuss the details of what was wrong. Heck, 9 times out of 10 they will probably deny that the problem ever really existed.

They aren't going to get back with you and discuss the details of what was wrong.

That wasn't the expectation. Please read my post again.

I understand that was not your original expectation. You might as well forget about the whole thing; they're 'blowing you off'...take the hint.

I was simply giving you some insight as to how Google, Yahoo, companies in general operate. They're not big on sharing information or even getting back to you on seemingly simple questions.

I can confirm this is with the actual team who would deal with matters like this.

They may or may NOT contact Vinny direct.

without going into specifics, I very much doubt any company (publically listed or NOT) would want to discuss their security or operational issues in an open forum.

Vinny please keep us updated if any news filters through.

Bearing in mind a few folks I spoke to today, assured me that there are other systems in place to stop this from happening ...

Shak

I'm still a bit confused over what the problem is. Does this flaw let just anyone charge you for ads that you're not benefitting from?

bostonseo, I'm sure that wasn't meant to be patronising. ;) I've been dealing with the larger companies since before some of the webmasters on these boards were even born.

They're not big on sharing information

I very much doubt any company (publically listed or NOT) would want to discuss their security or operational issues in an open forum

First, I did not ask for a discussion, I did not ask for an acceptance that there's a problem, I did not ask them to discuss security issues. I certainly did not ask them to explain what the problem is. Please don't muddy the water.

VinnyL obviously had an issue. Whether it's a genuine fraud threat or not we do not know. Shak's relaying of "other systems in place" is a bit reassuring but obviously those systems didn't work for VinnyL and Shak's post confirms that VinnyL isn't imagining things - there is a problem.

Google does not seem to always display the reticence you assume of them. They have demonstrated often enough via these boards that when there is a serious issue enough they will act. That they have not provided any form of reassurance on this issue leaves an impression that there is something amiss which they are unable to fix easily.

So much for being seen to be tough on Adwords fraud.

mhhhfive, as the others state I do not believe Google would be forthcoming enough to explain what the problem is - and personally, I don't care what it is - I just want to know that if my Adwords account is paying for somebody else Google is keen to find and block that loophole.

"bostonseo, I'm sure that wasn't meant to be patronising. ;) I've been dealing with the larger companies since before some of the webmasters on these boards were even born."

Great. So you should know that you are just spinning your wheels regarding this issue. Is it frustrating? Of course. Continuing to push the issue with them can only harm you and your relationship with Google.