The only time I used cookies was to maintain state in a transactional system like a shopping cart.
In those days the only ads were banner ads that some clients requested on their web pages.
I never thought about it before, but this Google exploit opens some interesting possibilities:
1) Serve a web page with a hidden frame
3) The script loads a different page into a hidden frame
4) The script scans the loaded [hidden] page for ad clicks
5) The script executes the ad click -- possibly loading another [hidden] page
The result: Anyone with web programming talent can develop a web page that issues ad clicks (to itself or any other site)...
So, you would have a web site that was self-sustaining -- each time you serve a page, it would issue a few ad clicks on your behalf. The ad clicks would be counted, the ads would be served, you'd get paid, and the user would never see the ads...Isn't it ironic that, by using this exploit, Google may have demonstrated the means of its own undoing
-- paying people for ads that never get seen.
Quickly, the advertisers would realize that the "Google" ads aren't very effective -- they are paying Google a lot of money to serve ads, but nobody buys anything (because they don't see the ads).
Now, Google would realize that something was wrong, and reverse engineer your web pages to see what you are doing...
To get around this, you could do the exploit server-side, or in the browser itself...You steal my cookies... I'll steal your cookie jar