Google Adsense cracked due to a Security flaw



(Digit November 2007 Issue)

India’s leading technology magazine DIGIT, has had in its November 2007 issue, a serious look at what one Indian security analyst claims is a flaw in Google’s AdSense. A Indian named, Manish Arora has found a way to cheat adsense and make thousands of US$ quickly. His claim has been verified by DIGITians and when they reported it to Google, they doesn’t seem to take it seriously. This has endangered the interests of adwords users. Is google working on the fix or is it something they doesn’t care about or is it the way they make money themself? Only time will tell this. Now the question is what he exactly did and the even more interesting how he did it?

What he did?

He had gone through number of articles/reports on Pay Per Click mechanism including the report of Dr. Tuzhilin (Professor of Information Systems at the Stern School of Business at New York University), who evaluated Google’s invalid click detection efforts.

After going through all those articles and analyzing Google’s code he found a way to simulate human behavior in click generation and page impressions in proper (acceptable) ratio from different geographic location (IP address) and was able to credit thousands of dollars in his AdSense account (By not a single human being generated click)

By observing the working of their system he was able to point out how ads are served from their servers and how can he stimulate the process from his own server by a script made by him.


(Here is a screenshot of his adsense account – Click to enlarge it)

Manish Arora wrote to Google “I would be glad to provide you the complete mechanism, which will take one hour a day, to produce thousand of dollars a month from adsense. I would like to explain this model to any of your representatives”. The Incident Response Lead, Google Security Team replied that “We’ve investigated your claim. At this point, all we can verify is that our automated systems terminated your accounts, as a result of your trying to inflate the clicks. This is exactly how the system is supposed to work. If you supply us with the code and the technical details of the method you mention, we will investigate further“.

Why he did?

He says he did all this to report the flaw to google and hasn’t withdrawn any money because his intentions were not bad. As soon as he reported this to google, the account was banned.

Manish Arora has explained how he did it, on his blog. You can read it here. (The link is not working anymore) Now rumors will continue to spread unless Google speaks something officially related to it. Are you a adsense publisher or you use Adwords for promoting your goods or services? What do you think? Do let me know through your comments.

Update: You can read the removed article here.


51 responses to “Google Adsense cracked due to a Security flaw”

  1. Wicked! Google blows anyway. I would have withdrawn the money, that would have REALLY got their attention!

  2. Interesting.

    I am pretty sure they must be fixing that though. They spend millions of dollars every year to prevent click fraud, so.

  3. @iMessiah
    Yeah! Withdrawing the money could have really get attention but in that case Manish Arora could have get himself into deep trouble.
    They must be working on the fix. But what amaze me is that why people are not ready to accept the fact that google is not completely flawless.

  4. I am sure that Google will get this fixed. Every system will have flaws.

  5. Thats pretty rough. I had a friendly that wrote some Javascript that parsed the ads then made it if anyone clicks anywhere on the screen it redirected them over to the ad. Needless to say Google caught him pretty quick, and he got the fraudulent clicks detected from your account letter.

  6. […] Google AdSense Cracked Due To Security Flaw – This is one of the unbelievable posts I read this week. Ashish has done a good job covering the […]

  7. @Madhur
    Yes, you are right.
    @ Vancouver Island SEO
    Google has very good algorithms to detect click frauds but there algorithm has this vulnerability.

  8. Manish Arora Avatar
    Manish Arora

    Well algorithms can detect source of clicks… but everything can’t be detected by algorithms. Its the matter of fact that I found a critical design issue in AdSense and that’s the way I designed my simulation.

    By the way if they know algorithms I also know algorithms 😉

    1. @Manish Arora
      Yeah! Flaws are everywhere waiting to be discovered. Well Manish, some people are arguing that google can remove the non-genuine clicks at the end when they process the payment. What would you like to say in this regard?

  9. Manish Arora Avatar
    Manish Arora

    Well its not simple as that. You know I took six months analyzing there system with more than 12 different accounts. Then I found this way.

    They have filters, which are no more than a machine. But I should say that those were good piece of AI. The fact is that their programs won’t decide to do that automatically. They have filters who will check and observe behavior on the basis of some research statistics.

    Google’s filter puts red flag on suspicious account and then those should go to click analysts for investigation. If you can fool those programs it won’t go to those analysts and you are safe.

    Things which seems so simple and straight are not that straight. Do you think that the amount (~$5000) I made were returned to Adwords customers?

    The answer should be NO. The amount which they credited to my account (~$5000) were only a percentage of what Google got from their clients. The actual advertisement amount is far bigger than that.

    Do you think they will refund all those amount?

    What will happen to their goodwill then?

    Its a money game, if everything is fine, perfect and in place then why everything is a blackbox?

    Do think on these points ❗

  10. @Manish
    You got a very good point!

    Its a money game, if everything is fine, perfect and in place then why everything is a blackbox?

    Google is really evil. 😈

  11. Manish Arora Avatar
    Manish Arora

    Well I won’t say that… they aren’t evil… they are trying their best but they are hiding things.

    What else they can do? Advertisements are their bread and butter 🙂

    They won’t sell their services… everything has its two faces… well its a long discussion…

    This article (published in Digit) won’t get published if they took me seriously. When I was approaching media I made Google in loop so that they should take things seriously, but they took that for granted. They thought they will manage the media.

    But after my efforts of 11 months this issue got published. Anyways hope for the best :).

  12. @Manish
    Thanks for clearing the doubts & I am glad that after so much of hard work (I should say smart work), you get to put your point in the media. 🙂
    Lets see how things turn out now!

  13. the big question is anyone using manish’s crack tot heri advantage 😀

    1. @nimish
      If I had used it to my own advantage, I would have remain slient. And I think the quote says it all.

  14. […] Ashish tells us about how Google AdSense cracked due to a Security flaw. […]

  15. I think.. there is only one thing… publishers can do… to teach them a lesson.. 😈 😈

    Lets.. start using Manishs’ trick… 😉 😉 😉

  16. Well, as from what i read on digit, Manish’s account was disabled for the invalid click activity.
    Even digit says that his claims about the gifts from google cannot be verified.
    And, then, dont everyone know that Google will review everything before sending payment?
    I have heard that most acccount disabling happens on 15th to 20th of the month, ie, time for review .

  17. Forgot to congrats Mr.Arora for his efforts, Good job there

  18. Im not sure that i have understood everything here.
    I understand that Manish can generate ads from his own server. Thats cool. He can create heaps of impressions. Manish still needs a clicks to generate the income that he describes. Google logs IP´s from clickers and to generate such a high volume of clicks, one would asume that the IP is allways the same. Same IP would lead to the Adsense Account. Have I missed something here?

  19. I have an advice to Manish: run and hide yourself ! Do you think Google will accept to loose millions of dollars without reaction ? Google is like a Biiiiig Casino. And their boss acts like in Ocean 12. It is a mafia.
    If u are not empoisonned in the next 6 months u can be happy.
    Look what happened to, the guy has disappeared completely. He was very sick last time I talked to him.

  20. Vatsal Trivedi Avatar
    Vatsal Trivedi

    Hi Manish Arora,

    Me 19 year student from Gujarat. I also love to play with such holes… I have lost my 14 adsense account in doing different experiments. M still trying to cheat with google bcoz I love that.

    Mr. Manish Arora by donating 5K $ back to google u didn’t got a penny except “fame”.

    I also have discovered a method similar to u and making around 80 to 90 $ per day. It’s small amount compare to u . But I have made a mega plan to Rob google..

    If i get success I will show u all hard copies of cheques I get from google to u.

    Meanwhile See ya TC

  21. @Jarrod
    You missed the point that IP locations are also simulated as different everytime.
    @Vatsal Trivedi
    Best Of Luck!

  22. starterplan Avatar

    Vatsal Trivedi do u got back your google adsense account u lost,
    mine google ad sense account was disable by google and i was having approx 104 $ in it , and when i emailed them they have nor replied me even once.
    can u tell me way to get back mine adsense account ,it was very difficult to earn 104 $ .

    Vatsal Trivedi if u think u can help me in getting mine adsense account do email me at , i will be waiting for your email please do email me .

  23. Vatsal Trivedi Avatar
    Vatsal Trivedi

    Hi starterplan ,

    As we all know Google is mo***rf**k*e….

    I m damm sure that google is not givind banned amount money back to advertisers….

    They just eat it up.
    I even mailed and requested to BigG lots time..
    Just got automated reply back in my inbox.
    Some lucky Publishers get their account back by appeal.
    But u still can request them by visiting

    Try ur luck. I don’t assure u that it will come back

  24. @Vatsal
    Thanks for helping starterplan and for the link. 😀

  25. starterplan Avatar

    thanks Vatsal Trivedi for replying BUT it tooks many months to earn 104 $ and they disable mine account as soon as i reach 100 $ . Ofcourse i already requested them with that link but no reply till now . I requested 2 times from DEC 1st

  26. starterplan Avatar

    thanks Vatsal Trivedi for replying BUT it tooks many months to earn 104 $ and they disable mine account as soon as i reach 100 $ . Ofcourse i already requested them with that link but no reply till now . I requested 2 times from DEC 1st .

    I am dying to get 104 $ back and is there any way to get back 104 $ by doing anything (even wrong) from google. WHY they disable when i reach 100 $ why not before .

  27. Vatsal Trivedi Avatar
    Vatsal Trivedi

    Sorry Dear,

    It’s bitter fact that google doesn’t have heart to understand our feelings..

    I also have forgotten my lost money and advised u to do same.

    C ya.

    As u said , “WHY they disable when i reach 100 $ why not before . ”

    Google is smart to rob our money. We work hard to complete 100 $ to get our first cheque. As our account get accumulated with sufficient amount ………… no need to complete sentense.

    I m working on a megha plan to earn huge money from google.
    It’s quite similer as of Manish.

    But if I earn I will not be gentle and return them amount.

    Keep Tuned Will post my experience as comment here.

  28. @starterplan
    Google is evil 👿
    Good luck to you 😀

  29. starterplan Avatar

    thanks for the reply Vatsal Trivedi .
    may be i am wrong but i heard many got ban when they reached above 100 $ not before that .

  30. starterplan Avatar

    Vatsal Trivedi can u reply me to my yahoo email i dont check gmail everyday.
    i sent u email few days ago

  31. Thanks. This is an interesting article you got. He should keep this secret for a longer period until he got his payment 😈

  32. @Patrick
    Manish Arora just intend to show the flaw in adsense. He was having no intention of earning illegal money. 😉

  33. Could not agee with you more..

  34. @Charlie
    Your comment was caught as spam. So appeared lately. What don’t you agree on?

  35. Interesting and i don’t find Manish’s article(link in your post) anymore…Has anyone taken action?

  36. @Techblissonline
    Yeah it gives a 404 error. I guess the article is gone but originally it was on blogspot blog only.

  37. i don’t find Manish’s article(link in your post) anymore…Has anyone taken action?

  38. @Techblissonline, eslam
    I have found a pdf of the article in my archive. I have added the link in my post.

  39. Can you give me the script? Because i can’t download the script that have you modified in (404 Not Found) please send me the script in my email. Thanx a lot..

  40. @I don’t have a copy of that script and probably it won’t work now as Google might have implemented changes in their algorithm.

  41. Do you want the script? I have it as i saved the copy when he put it up on
    get on

  42. @Monik
    Thanks for the link. I might have a look at it someday.

  43. Sava Bogdan Avatar
    Sava Bogdan

    please can i recive the scrip. Thanck you. where a can download the script. This url not working. Please email me the script at

  44. if you find something that works dont post it online, if to many people know a secret then google will find it and close the loop hole.

    everyone should keep that in mind.

    i would love for someone to tell me ho to do it but if i knew then google would know and it would be closed.
    harsh but true
    sorry guys

    1. Rightly said!
      but Manish didn’t wanted to make any profit out of it.

  45. great dude, good job done, but google’s response is strange, any how google is not supposed to encourage click fraud!
    [Moderated : No Self Promotion] to find real human visitors to help make more money by google adsense for blogs.

  46. very low ctr very high cpm.. hw????

  47. thanks got new information