O2 Leaking Customer Photos?
Mobile Network Operators have been providing SMS text messaging capabilities for years but it’s only recently that MMS (Multimedia Messaging Service) enabled cell phones have become more popular. It allows an owner of the phone to take a photo and immediately send it to another MMS enabled cellphone. So what happens if a MMS enabled phone sends an e-mail to a non-MMS phone? Well, the mobile operators have thought of that and can host the images on their website and notify the user by text message or e-mail that a new photo is available to view.
You may assume that if you use this service to send a photo to a friend that your photo is protected and not broadcast for the entire world to see. Unfortunately, this may not be the case if there isn’t proper authentication, such as username and password login, to the mobile network operators website that’s hosting the images and here’s an example of that case.
Earlier today, we received an e-mail from O2 that was sent to an incorrect recipient. It’s quite likely that an e-mail address was entered incorrectly by the person setting up the account. I was surprised that we were able to view the image without having to login to the website but figured a strict combination of a unique user id number and unique image id would be required making it incredibly difficult to guess. After all, it wouldn’t be possible to access these images without receiving a misaddressed e-mail, right? Wrong!
I looked at the URL in the e-mail and found the only requirement was a 16 digit hex number. [Update: A few readers pointed out that a 64-bit key results in a HUGE number of possibilities to guess 10^19. However, as I can obtain the keys via another security hole no guessing is required - I’m not going to release that information yet as I’d like O2 to fix this]. As these web pages were wide open to the internet, not requiring any authentication a very small handful were indexed by Google. I was able to craft a Google search that results in some matches to show an example of how this is an insecure method of hosting:
http://www.google.com/search?hl=en&q=inurl:mms2legacy&start=20&sa=N&filter=0
Worse still, the majority of the images taken on cameras turns out to be children. Ironically, O2 has a website dedicated to “Protect Our Children”, well a good first step would be to avoid leaking customer photos.
Update: Someone posted this story to the O2 Customer Forum website but the thread has mysteriously disappeared. Hmmm….I wonder why? The thread discussing this in the forum was here but now simply returns “The topic or post you requested does not exist” webpage. Google did manage to grab it….
“Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu.”
From: Florian Weimer <fw <at> deneb.enyo.de>
Subject: [DSA 1571-1] New openssl packages fix predictable random number generator
Newsgroups: gmane.linux.debian.user.security.announce
Date: 2008-05-13 12:06:39 GMT (1 day, 13 hours and 31 minutes ago)
------------------------------------------------------------------------
Debian Security Advisory DSA-1571-1 security <at> debian.org
http://www.debian.org/security/ Florian Weimer
May 13, 2008 http://www.debian.org/security/faq
————————————————————————
Package : openssl
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166
Luciano Bello discovered that the random number generator in Debian’s
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.
This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian. However, other systems
can be indirectly affected if weak keys are imported into them.
It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.
The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
current stable (etch) distributions. The old stable distribution
(sarge) is not affected.
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.
A detector for known weak key material will be published at:
<http://security.debian.org/project/extra/dowkd/dowkd.pl.gz>
<http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc>
(OpenPGP signature)
Instructions how to implement key rollover for various packages will be
published at:
<http://www.debian.org/security/key-rollover/>
This web site will be continously updated to reflect new and updated
instructions on key rollovers for packages using SSL certificates.
Popular packages not affected will also be listed.
In addition to this critical change, two other vulnerabilities have been
fixed in the openssl package which were originally scheduled for release
with the next etch point release: OpenSSL’s DTLS (Datagram TLS,
basically “SSL over UDP”) implementation did not actually implement the
DTLS specification, but a potentially much weaker protocol, and
contained a vulnerability permitting arbitrary code execution
(CVE-2007-4995). A side channel attack in the integer multiplication
routines is also addressed (CVE-2007-3108).
For the stable distribution (etch), these problems have been fixed in
version 0.9.8c-4etch3.
For the unstable distribution (sid) and the testing distribution
(lenny), these problems have been fixed in version 0.9.8g-9.
We recommend that you upgrade your openssl package and subsequently
regenerate any cryptographic material, as outlined above.
Upgrade instructions
——————–
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
——————————-
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.dsc
Size/MD5 checksum: 1099 5e60a893c9c3258669845b0a56d9d9d6
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
Size/MD5 checksum: 3313857 78454bec556bcb4c45129428a766c886
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.diff.gz
Size/MD5 checksum: 55320 f0e457d6459255da86f388dcf695ee20
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_alpha.deb
Size/MD5 checksum: 1025954 d82f535b49f8c56aa2135f2fa52e7059
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_alpha.deb
Size/MD5 checksum: 4558230 399adb0f2c7faa51065d4977a7f3b3c4
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_alpha.deb
Size/MD5 checksum: 2620892 0e5efdec0a912c5ae56bb7c5d5d896c6
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_alpha.deb
Size/MD5 checksum: 2561650 affe364ebcabc2aa33ae8b8c3f797b5e
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_alpha.udeb
Size/MD5 checksum: 677172 5228d266c1fc742181239019dbad4c42
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_amd64.deb
Size/MD5 checksum: 1654902 d8ad8dc51449cf6db938d2675789ab25
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_amd64.deb
Size/MD5 checksum: 891102 2e97e35c44308a59857d2e640ddf141a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_amd64.deb
Size/MD5 checksum: 992248 82193ea11b0bc08c74a775039b855a05
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_amd64.deb
Size/MD5 checksum: 2178610 fb7c53e5f157c43753db31885ff68420
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_amd64.udeb
Size/MD5 checksum: 580250 7fb3d7fee129cc9a4fb21f5c471dfbab
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_arm.deb
Size/MD5 checksum: 1537440 c5ab48e9bde49ba32648fb581b90ba18
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_arm.udeb
Size/MD5 checksum: 516576 84385b137c731de3b86824c17affa9f3
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_arm.deb
Size/MD5 checksum: 2049882 7ed60840eb3e6b26c6856dcaf5776b0c
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_arm.deb
Size/MD5 checksum: 1011698 abfa887593089ac0f1cd4e31154897ee
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_arm.deb
Size/MD5 checksum: 805912 a605625ea107252e9aebbc77902a63ed
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_hppa.deb
Size/MD5 checksum: 1585900 2cbe55764db351dc6c3c2d622aa90caf
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_hppa.deb
Size/MD5 checksum: 2248328 664fb0992b786ce067a7d878056fc191
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_hppa.deb
Size/MD5 checksum: 1030782 21f445c541d5e5b7c16de1db9ee9d681
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_hppa.deb
Size/MD5 checksum: 945144 c1092f3bb94d920d0beaa372c9cab04e
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_hppa.udeb
Size/MD5 checksum: 631132 76339119275786b5e80a7a1b4cd26b71
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_i386.deb
Size/MD5 checksum: 2086512 eeef437fb87ad6687cd953d5951aa472
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_i386.deb
Size/MD5 checksum: 5584696 6d364557c9d392bb90706e049860be66
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_i386.deb
Size/MD5 checksum: 1000832 ed5668305f1e4b4e4a22fbd24514c758
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_i386.udeb
Size/MD5 checksum: 554676 dbad0172c990359282884bac1d141034
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_i386.deb
Size/MD5 checksum: 2717086 361fde071d18ccf93338134357ab1a61
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_ia64.udeb
Size/MD5 checksum: 801748 05b29fc674311bd31fe945036a08abd5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_ia64.deb
Size/MD5 checksum: 1192192 56be85aceb4e79e45f39c4546bfecf4f
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_ia64.deb
Size/MD5 checksum: 2593418 f9edaea0a86c1a1cea391f890d7ee70f
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_ia64.deb
Size/MD5 checksum: 1569418 4b2cb04d13efabdddddbd0f6d3cefd9b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_ia64.deb
Size/MD5 checksum: 1071156 e1f487c4310ad526c071f7483de4cd1a
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_mips.deb
Size/MD5 checksum: 1003816 f895a8bc714e9c373ee80f736b5af00b
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_mips.deb
Size/MD5 checksum: 2262266 004484e816d4fe5ff03fe6d7df38d7b7
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_mips.deb
Size/MD5 checksum: 1692606 e8273f5d123f892a81a155f14ba19b50
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_mips.deb
Size/MD5 checksum: 875558 44074bce1cde4281c5abcf45817f429d
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_mips.udeb
Size/MD5 checksum: 580130 b6b810d1c39164747e3ebc9df4903974
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_mipsel.udeb
Size/MD5 checksum: 566168 97963ca9b6ada94445fb25b3126655e9
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_mipsel.deb
Size/MD5 checksum: 992712 41c2bbe984553d693f21c3ec349ea465
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_mipsel.deb
Size/MD5 checksum: 2255558 3c63936cd511975291b4230bef1a2e3b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_mipsel.deb
Size/MD5 checksum: 860506 d580fbeed6efd734245ea7a7bed225bb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_mipsel.deb
Size/MD5 checksum: 1649300 3315d1406f995f5b6d2a4f958976a794
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_powerpc.deb
Size/MD5 checksum: 1002022 b2749639425c3a8ac493e072cfffb358
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_powerpc.deb
Size/MD5 checksum: 895460 e15fbbbbcfe17e82bacc07f6febd9707
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_powerpc.udeb
Size/MD5 checksum: 585320 61488ea7f54b55a21f7147fe5bc3b0f0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_powerpc.deb
Size/MD5 checksum: 1728384 539ee1a3fe7d9b89034ebfe3c1091b6f
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_powerpc.deb
Size/MD5 checksum: 2210792 82e9e27c6083a95c76c5817f9604178f
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_s390.udeb
Size/MD5 checksum: 643008 4861c78ea63b6c3c08c22a0c5326d981
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_s390.deb
Size/MD5 checksum: 1632976 01d289d460622382b59d07950305764f
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_s390.deb
Size/MD5 checksum: 951404 d92bb390489bed0abff58f7a1ceade6b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_s390.deb
Size/MD5 checksum: 1014308 487c24f2af25797a857814af7c9c0d0b
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_s390.deb
Size/MD5 checksum: 2193782 f1fe472c802e929a57bd8c8560bd3009
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_sparc.deb
Size/MD5 checksum: 4091340 970453ebfab8152c9c44ae210fbaa2a4
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_sparc.udeb
Size/MD5 checksum: 539054 7be1258f74165c4b037e202d2048f8ce
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_sparc.deb
Size/MD5 checksum: 1010536 6444d6cc6fd838c82716462aacd1cf84
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_sparc.deb
Size/MD5 checksum: 2108000 ab0d0ccc72764a26b7767cace520b269
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_sparc.deb
Size/MD5 checksum: 2126386 61ddc204ee650cdd0f2b56e358134e2b
These files will probably be moved into the stable distribution on
its next update.
———————————————————————————
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce <at> lists.debian.org
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>
Try typing `jobs’ on Google search, and you might be in for a surprise — on the sponsored links column, one of the ads is by competitor Yahoo!
That is probably why Murugavel Janakiraman, Founder and Chief Executive Officer, Bharatmatrimony.com, comfortably maintains relations with both companies — Yahoo is an investor in his portal, while the other provides advertising space for the matchmaker.
However, it isn’t just the big players who are benefiting from Google AdWords and AdSense. A whole network has arisen, which includes advertisers from SMEs to MNCs, hosts from large publishing portals to individual bloggers, and, of course, the 50 million Internet users in the country. According to a comScore Media Matrix 2005 report, about 80 per cent of Internet users access Google.com.
K. Sundararaman, Acting Sales Head, Google India, sheds some light on how this network works. He says that apart from the ads that appear on www.google.com, there is Google AdSense, which allows individual Web sites to rent out the space on the page.
These Web sites, Sundararaman explains, are selected through `site targeting’ that “allows advertisers to choose individual Web sites within the Google content network where they would like their ads to appear … allowing advertisers to handpick the audience they want to reach.”
Managing ad campaigns
Apart from this, the advertiser can specify search-targeted keywords for categories such as broad matches, phrase matches, exact matches or negative matches. This keyword matching system is completely automated. “We suggest using a combination of two or more of these techniques to run an effective ad campaign,” he says.
Which in turn means that managing an effective ad campaign with Google AdWords is not quite such a simple project. For example, Bharatmatrimony.com has a three-member internal team that continually reviews the conversion rate of the number of people that click on their ads in other Web sites, the cost of advertising on Google and the relevance of the keywords that the company has submitted, says Janakiraman.
As large clients, they work in conjunction with a team from Google that has been assigned to work with them. The company has bought about 30,000 keywords.
Keywords matter
Similarly, eBay has an internal team that works full-time on the paid search programme with the Google account team, according to Rathin Lahiri, Head - Marketing, eBay India. This is possibly because “paid search is one of the better performing channels and the search customer is an evolved customer,” he says.
The revenue model for the Web site is that advertisers pay for the click or impression that they receive.
For ads priced at cost-per-thousand-clicks, an advertiser may pay as low as Rs 10 per thousand, and for cost-per-click priced ads, it may be as low as Re 0.44 per click, according to the company.
The rate of keywords varies, says Lahiri. For example, the keyword `Nokia’ would be more valuable than a keyword such as `pencil’ — at the end of the day, the rate that eBay pays is a function of the click-through-rate and the cost-per-click. The keyword `Nokia phone’ is more valuable than `Nokia blue tooth device’ and therefore has a better click-through-rate.
Users big and small
This has opened up a whole market through the AdSense route. And since the tool caters to publishers of all sizes, the company has both large publishers that have content on the Internet such as Sify.com, NDTV.com, and Moneycontrol.com, as well as individual Web site owners.
Deepesh Agarwal, who runs a Web site that provides freeware solutions, receives on an average 4,000-odd daily ad impressions and earns anywhere from $800 to $2,100 per month depending on the amount of traffic and its `quality.’
He has been using the service for three years. Though the first two years didn’t yield many results, but the last year has been a good one. In fact, though the Web site was never intended as a money-spinner, it now constitutes the biggest portion of Agarwal’s revenue.
Success story
“My traffic is primarily from the US and Canada — about 60 per cent — and the visitors are common computer users looking for free alternatives for paid shareware applications meant for day-to-day computer maintenance tasks,” he explains.
But it doesn’t even have to get that technical to be a success. Jamshed Velayuda Rajan, a Usability Consultant with Satyam Computers, maintains two Web sites — one in which he writes about himself and his family, and another blog on cricket.
The latter, he expects, will have traffic of about 2,500 to 3,500 people when cricket matches are going on.
Typically, 350 unique people per day, and about 450 to 500 clicks is the count for his two portals combined.
As for the remuneration, he explains, “High value keywords would earn more — if I had a finance blog, for example, I could make as much as $4 for one click.
Since cricket is not a money-spinner in that sense, perhaps between 10 and 30 cents per click.” All in all, he has made about Rs 30,000 in the last two years.
Not bad for a man who was looking to have a bit of fun by writing about his life and his family. - by Abhinav Ramnarayan
Paypal has launched a product aimed at helping small and medium businesses accept online payments securely and cost-effectively.
The Website Payments Pro product is the first non-hosted payment suite from Paypal, a subsidiary of online auction giant eBay. It includes Express Checkout, Direct Payment API and Virtual Terminal functions, so firms can let shoppers choose how to pay for their purchases.
The Direct Payment API lets businesses accept credit or debit card payments. Buyers enter card details directly on the website of the business and payments are processed through Paypal.
Customers can also pay for their goods using Paypal’s Express Checkout, removing the need to re-enter billing or delivery information with every purchase. Buyers can use any major credit or debit card, bank account or Paypal account balance.
The Virtual Terminal allows businesses to accept orders offline via phone, fax or mail and then enter the details online so the transaction is processed by Paypal.
Companies can include their own branding on the checkout process web pages and can direct buyers back to their websites to continue shopping after payments are completed.
Carl-Olav Scheible, general manager of merchant services at Paypal said the product was developed to meet the needs of businesses that wanted the benefits of Paypal, combined with those of a merchant account and gateway.
But Paypal users have been heavily targeted by criminal phishing scams. Last July, security firm Sophos revealed that 54 percent of the phishing emails received by its threat analysis centres were aimed at stealing log-in and other details from Paypal users.
Pricing for Website Payments Pro includes a monthly fee and a rate per transaction. - By Computerworld UK staff
We’ve heard that many publishers are having trouble viewing referral 2.0 ads on their pages, and we’d like to explain some of the most common reasons why this might be. First, keep in mind that not all referral ads are available in all sizes. For instance, most horizontal referral ad units smaller than 180×60, square referral ad units smaller than 125×125, and text links are only available at this time for Google products such as AdSense or AdWords. This means that if you generate code for referral ads in an unsupported size, you won’t see any referrals shown on your webpages. To avoid this issue, we recommend first selecting categories or products for your referrals before selecting a size at this time. Similarly, you may not see the referral ads you’ve selected on your pages if you’ve grouped a number of referral ads into your Ad Shopping Cart which are each available in different sizes. If this is the case, you may wish to try regenerating your referral code with a particular ad format in mind — this way, you can be sure to select products available in that format. Here are several other reasons your chosen referral ads may not show: The particular referral ad you’ve chosen is not available in your country. When generating your code, you can view the ads available for specific countries by clicking the ‘change’ link above the referrals wizard. You’ve unselected the ‘Pick best performing ads’ checkbox for a referral where the advertiser has run out of budget or ended the campaign. To take advantage of the available inventory of related products, we recommend leaving this box checked. You’ve added more than three referral units to your page. Our current policy allows a maximum of three referral ad units on any policy-compliant page. Our system has determined that your pages contain potentially mature or sensitive content. However, as your content changes, you may begin to see referral ads appearing. The referral ad code may have been modified. Be sure to copy the code exactly as it appears in your account and paste it directly onto your pages. Please know that we’re working as quickly as we can to fine-tune the process of generating referral code. Also, we appreciate all of your feedback on referrals 2.0 so far, and we encourage you to let us know how we can keep improving AdSense - Rajiv Sud - AdSense Publisher Support