111

I just got a pop-up after having logged on to Gmail. It said it was from https://googleads.g.doubleclick.net and asked for username and password.

Screenshot of login dialog.

What should I do about this? Has anyone else seen this?

I did press cancel, nothing happened. The only add-on I have installed is HttpRequester.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
morten
  • 881
  • 2
  • 6
  • 5
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/41600/discussion-on-question-by-morten-what-should-i-do-about-gmail-ad-asking-me-for-p). – Rory Alsop Jun 24 '16 at 08:53
  • 1
    If you run run AdBlock Plus and Ghostery, you won't get the dialog because all requests to DoubleClick will be blocked: http://cubicspot.blogspot.com/2014/03/why-i-run-adblock-plus-and-ghostery.html – CubicleSoft Jun 24 '16 at 12:56

5 Answers5

72

This seems unlikely but not unthinkable. From the information in your question and the supplied screenshot, it seems that the Google ad domain was or currently is compromised.

What to do now?

Firstly, make sure that you have antivirus and anti-spyware software installed and that this software (including your operating system) is up-to-date. It is a good idea to let your antivirus and anti-spyware software run a full system scan.

Secondly, even if you didn't fill in your credentials, I'd recommend to change your password as soon as possible with an ad blocker (like Adblock Plus, Adblock, uBlock Origin or similar) installed and enabled in your browser. It is recommended to enable two-factor authentication on your Google account (if you didn't do that already) to prevent (future) leaked credentials from being misused.

Thirdly, contact Google about this and supply them with details like your IP, URL, screenshots, date/time and as much information as you have. You can contact Google about this at "goo.gl/vulnz" or check https://www.google.com/about/appsecurity

Additional information

Alternative explanation

Another explanation for this could be (although this would be unlikely and amateurish for a company like Google) that the developers overlooked a mistake in the development, testing and releasing process.

Also (as mentioned in different comments) this result could possibly be caused by some kind of man-in-the-middle attack (like a hacked proxy) or a malicious browser extension.

Why change your password if you didn't fill in your credentials?

The site showed an unusual but visible "basic auth" prompt from an external domain. Assuming that the domain was compromised (at least until it is proven not) the attackers could as well include other code that was not directly visible. Maybe persistent in cache? Maybe some kind of malware? Since we can't exclude that possibilities also, and since a password change or virus/malware scan won't hurt anyone, these are extra measures, just to be sure.

Is doubleclick.net really owned by Google?

Yes! As described in this Wikipedia article and as shown in the WHOIS information of doubleclick.net. Registrant Organization: Google Inc.

Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
  • 14
    `change your password as soon as possible` ... possibly from a different browser or even a different computer that you know is not compromised. You might want to go as far as using a different network (aka resetting password on coffee shop free wifi might not be the best idea). – CaffeineAddiction Jun 21 '16 at 15:53
  • 5
    Can you explain why one should change their password if they never entered credentials? I can understand if they gave them login information but otherwise such a step seems like a moot overreaction if those details were never compromised or transmitted. – Bacon Brad Jun 21 '16 at 23:04
  • 19
    @EvanderConsus: OK, I *still* don't understand why the user should change their password if they never entered credentials.  Maybe I'm misunderstanding, but you seem to be suggesting that the attack might have left residual malware.  It seems to me that, if you don't clean that up, changing your password is like changing your locks while the burglar is still in your house. – Scott - Слава Україні Jun 22 '16 at 03:27
  • 2
    @morten if you decide not to report this to Google let us know so someone else can. i'm curious for their official reply. – Insane Jun 22 '16 at 08:55
  • -1 For not mentioning the very real posibility that this is the result of a hacked proxy or extension. Not saying that's necessarily the case, but I have seen such attacks in the wild, so they do warrant mentioning. – David Mulder Jun 22 '16 at 09:40
  • 1
    @DavidMulder, you are right. Also mentioned in other comments. I added the possibility. – Bob Ortiz Jun 22 '16 at 09:44
  • Thanks. I reported this to google now. Let's see if they get back to me. – morten Jun 22 '16 at 11:53
  • 2
    It seems (much) more likely that doubleclick.net just has a mis-configured server lying around somewhere that is responding with 403s instead of serving up the ads, rather than the server actually being compromised. – reirab Jun 22 '16 at 21:37
  • If it was a malicious ad that snuck past google's anti-malware checks, would the password box still list the google-owned domain? – childofsoong Jun 23 '16 at 18:04
  • @reirab misconfiguration causing serving 403s will not result in basic authentication prompts. A 403 will be served after a basic auth prompt is ignored or credentials are incorrect. – Bob Ortiz Jul 22 '16 at 12:22
  • @childofsoong Interesting question. In case the basic authentication prompt is directly from a Google server listening to a Google domain then yes, it will list a Google domain. I'm not sure about the possibility of proxying a basic authentication prompt and if Google is doing that, in which case it will also still list the Google domain. In all other cases another domain will be listed. – Bob Ortiz Jul 22 '16 at 12:24
  • 1
    @KevinMorssink Oh, yeah, sorry, you're right. The challenge is served with a 401, not a 403. At any rate, my point remains. The server was probably just misconfigured to require authentication. – reirab Jul 22 '16 at 13:55
24

As web developer, I agree with Andrew it all points that it was a developer's mistake. They probably password protected some of the resources required for some of the ads (for example, css, js, a font, an image, a json, etc).

I tried with my gmail account and is also happening. The protected link is:

https://googleads.g.doubleclick.net/pagead/drt/si?ogt=1&pli=1&auth=bgN4B9npCUq44nAGCAS6CK9DwN2HLgJWDF_NXi4wRqkGyC8mp1_mF5KWfi_pZjAwWn9zCg.

Note: I changed the "auth" value as I don't know if contains private information in it.

But trying to open it directly fails (it must have some kind of verification. See the "auth" parameter).

It is not asking for your gmail credentials. If they were trying to get your credentials, instead of "Google" it would have said: "Please enter your gmail user and password".

Just don't enter your credentials. Maybe there is already some report about that going on.

Its very strange that they haven't fix that already.

UPDATE

I reported the issue here: https://support.google.com/mail/contact/gtag?hl=en

UPDATE 2

The problem seems to be gone in my account.

Looking into more detail, "doubleclick.net" is a subsidiary of Google and it seems it doesn't have a great reputation.

Is not the first time that this "password pop-up" happens with this company, here is a report back in Jun 22 and 2005.

BTW, someone else reported it too in SO.

lepe
  • 2,194
  • 2
  • 16
  • 29
  • 2
    It's fixed now. – Ángel Jun 22 '16 at 13:44
  • 1
    Good to hear that. Do you have any link about it? – lepe Jun 22 '16 at 13:48
  • works for me? Although perhaps the error could be restricted to a single datacente :S Is it still failing for you? – Ángel Jun 22 '16 at 13:56
  • I updated my answer (update 2) – lepe Jun 23 '16 at 01:13
  • 1
    Of course DoubleClick won't have a great reputation. Basically, it is involved with advertising, and tracking user behavior. This may help Google financially, but privacy opponents will despise it, and there is no perceived benefits. So some/many people will hate DoubleClick (for privacy invasions and/or slowing down their web experience) with nobody loving it, thereby resulting in a company hated by everyone except for beneficiaries. And the one entity that notably claims any benefit is the company known as Google. – TOOGAM Jun 23 '16 at 22:21
16

This is an HTTP(S) Auth window. It looks like a Google Ad is misconfigured.

You should report it to Google immediately.

dr_
  • 5,109
  • 4
  • 20
  • 30
  • 5
    Isn't it a "basic auth" prompt screen? Usually sending credentials plaintext over HTTP except that this screenshot shows it's requested by 'https://...'. – Bob Ortiz Jun 21 '16 at 12:18
  • @EvanderConsus This is generic password input screen, used for digest too. – Agent_L Jun 21 '16 at 13:26
  • 1
    I can only guess. But if Google proxies the ads over their domain, then SSL will still be valid. In case of an XSS or other infection on the server, you might be able to achieve this. – Bob Ortiz Jun 21 '16 at 14:03
8

It might be a (extremely poor) phishing attempt, or it might be just a misconfigured ad server (asking for the login and password due to .htaccess).

Report it to Google (as they own both GMail and Doubleclick). Don't panic.

Changing password is probably not necessary, but I still recommend doing it it (you should change your passwords at least semi-regularly anyway).

Matthew
  • 27,263
  • 7
  • 89
  • 101
Jakub
  • 840
  • 7
  • 11
  • 1
    The fact that Google own both Gmail and Doubleclick should not result in assuming there is no need to panic. Since it's unclear at this point if the specific server is compromised. – Bob Ortiz Jun 21 '16 at 13:45
  • 14
    Frankly, there is never a reason or need to panic. Panicking causes you to make wrong decisions, often making a not-so-bad situation a catastrophe. Reporting this situation to Google and changing the password should be more than enough in this case. Especially if the OP uses the two-factor-auth. – Jakub Jun 21 '16 at 13:51
  • 1
    +1 for mentioning a misconfigured .htaccess or similar. This seems **far** more likely to be the case. – reirab Jun 22 '16 at 21:39
2

First of all if the domain name (the fully qualified domain name left of the rightmost period) isn't Google, I wouldn't log in.

You should always look for the right most period. Once you hit a slash (/ or \), you have superceeded the domain name. not a dash or hyphen, that could be a part of exampledomain.com, etc. basically make sure it is Google, you can also potentially verify by the ssl certificate by clicking the green lock by the https block of text near the url.

All in all, this sounds specious, Google keeps your session logged in for quite some time. If you want to make sure, go to gmail.com, if it logs you in, no questions asked, then you know it was fake.

Google has a policy of 'log you in to one, log you in to all'. If you're logged in to one Google site, you've got an authenticated session for all sites. So if you can get to Google, it was fake because the real Google already knows it's you, wouldn't have asked you, if it's not really Google, it would ask you to log in. But basically, most importantly, never log in to a prompt like that, I've never seen Google ask for login like that.

I'll bet $50 bucks it's fake. But always make sure by going to a real Google site on your own, check domain name, by last period and make sure Google owns the TLD, and ssl certificate.

All in all, go to gmail.com and see if it logs you in. If it does, it was fake, if it doesn't, log in to gmail and refresh the pop up and see if it asks you again. If it does, it's fake. If it lets you in, in was real. You will never have to log in to a prompt With your actual login info. And even if, never log in to google via a prompt pop up like that. Google always asks you via login webpage to ask for 2nd factor authentication, etc, the popup you showed was a prompt, not a webpage.

  • 2
    Google own http://doubleclick.net. – cat Jun 21 '16 at 22:03
  • I had just logged in to the proper google login, with two factor authentication. I could see my emails in the background as this popup appeared. – morten Jun 22 '16 at 11:29
  • 1
    Google may own doubleclick but that doesn't mean that you should enter your credentials. – ktamlyn Jun 22 '16 at 15:59
  • 1
    Correct @ktamlyn online advertising agencies are known for showing advertiser content. This could include a snipet of malicious code. Be careful! Don't login! – Joseph Orlando Jun 22 '16 at 17:44