Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've reported this back in 2017: https://news.ycombinator.com/item?id=13413399 (Though the screenshot was on G+, so RIP.)

It's even been done to youtube.com before! Clicking ads is inherently dangerous, as they are allowed to show URLs which do not reflect the URLs they will actually route you to. You should never click on an ad.

This is a scenario that violates any reasonable convention of good web behavior, but Google won't fix it because the advertisers are how their bills get paid.



Isn't this true about any link?


No. If you hover over a link in your web browser, regardless of what it says on the link, the hover text (often appearing at the bottom left of your web browser) should show you the real, full destination URL. Try hovering over any link in HN, and you'll see the URL you're going to actually go to when you click on it.

However, when you hover over a Google Ads link, it does not do this. It shows you a friendly URL for the destination (such as https://www.ebay.com) but when you click on it, you get redirected with a bunch of tracking stuff added or even through a URL not on the ebay.com domain, as shown in this "exploit". In fact, even if an advertiser were to use a "clean" link as the destination, you first get redirected on that click through a google.com URL, even though the hover text is still lying about the destination.

I'm not even sure what it's doing here, there's some neat JavaScript in play. The hover text shows the "clean" URL, but if I inspect it, and then hover over it again, it shows the real redirect URL through google.com.


They detect a left-click and in the click handler they replace the href, so it's impossible to see before navigating.

Pretty evil huh?


You’re wrong about being able to trust standard anchor links- you can’t. You can intercept the click using an onclick handler and redirect the user to wherever you want.

Viglink and Skimlink do this for affiliate programs, which is somewhat legitimate.


We posted at the same time, you're right. Disabling js fixes this (and so many other problems)

js websites cannot be trusted


Google has been doing this on google.com search page for ages before "upgrading" to ping

I used to run

   if((event.target.tagName.toLowerCase() === 'a') && (event.target.childNodes[0]) && (/^(http?:\/\/(www\.|encrypted\.)?google\.[^\/]*)?\/?url/.test(event.target.href))) {
      var matches = /[\?&](url)=(.+?)&/.exec(event.target.href);
      if (matches != null) {
        event.target.href = unescape(matches[2]);
      }
  }
nowadays if (link.ping) link.ping = null; is enough


browser.send_pings = false

on Firefox


Hacker life! NEVER click an ad




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: