Again... Is there any fix coming for this message other than disabling it? I'm getting the message on sites I know are secure; I would think LastPass also knows they are secure. I realize there are other posts on this topic, the latest being 09/2020. However, I want to bump the topic because it is a flaw in LastPass that I would like to see fixed one and for all.
Solved! Go to Solution.
Hello,
This is a preference that can be enabled or disabled following these steps:
While our developers don't currently have any plans to change this feature, as it is something that can be enabled or disabled, I have passed your feedback along to our development team for consideration in futures updates.
Hello,
This is a preference that can be enabled or disabled following these steps:
While our developers don't currently have any plans to change this feature, as it is something that can be enabled or disabled, I have passed your feedback along to our development team for consideration in futures updates.
This response needs to explain how a secure website (using https) can still have an insecure form ... or there is a bug in the system that needs to be resolved. Even IF I think the site should be trusted, the fact that LastPass is warning me should be heeded, right?
It's not a "feature" if it inaccurately warns users of something so serious. Please explain how both a secure site and an insecure form can exist at the same time if it is in fact possible.
Hi @ChasPro,
LastPass will display this warning message if your LastPass extension Preferences are enabled to warn before autofilling on a form that is not secure. This means that the website you are visiting uses an insecure method to submit data (LastPass specifically looks for GET and mailto: methods on the page). The website may be considered secure by the check done by most browsers, but if the site uses an insecure method to submit data via forms this is why you would see that message.
This feature has always been prone to false positives, which is why it's disabled by default. The old forums are gone, but there have been complaints about it dating back over the past decade.
Your only options are to either accept the issue and suppress any notifications on trusted sites, or disable the feature entirely.
Fully agree with this comment. Just turning off a warning is not a solution if you do not understand the implications. Can LastPass please comment on exactly what the issue is and why it happens with so many sites? Very surprised this hasn't been hopped on quickly - its a major security concern.
As a developer researching this issue for a company, here's my 2 cents...
Given your previous stated facts, you say that your code looks for "GET" or "mailto" before throwing this error. In combing through our pre-compiled code (a modest 300 lines or so), there is only one external call, which is a post and should conform to your requirements. However, the word "get" appears nine times. Most of them are as a substr within a function name, such as "getMeThisFoo()", and others, it is part of a standard function for an industry object, such as this.myGroup.get('elementID').setValue(myString). None of these are security issues. I would suggest your developers first find the substr('get') and then check to see if it's part of an actual http protocol call, such as substr('http.get('http://someURL.com')). Simply throwing this error due to a substr match will make websites that are indeed making valid attempts to BE secure look as if they are not, which will lose reputation points for your product. Lastly, just to be thorough, the page that pops this modal does do an http.get to a news site for news items, but that has nothing to do with this modal dialog box. That is just their "get news" method and does not reflect on the security of this page, as in "no parameters" are being passed in the clear in that get, and that memory space is not even available to the modal. Just in case your plugin looks at ALL code, it shouldn't. Again, this would impact reputation. This is likely the cause of the "false positives" as your engineer stated here, but if this is correct, they are not actually false... they are just reporting the positive of the 'get' substring existence without likely any further context checking.
Many times you will get a message like that if the log in is on a company's main web page that is not https. Check the address bar for the web page for the business if it shows "http" instead of "https" that's probably the reason and you should probably contact the company and let them know they should have their log in on a secure page.
AppResearcher explains the problem perfectly. Lastpass still needs to address this... It doesn't make sense how such a massively impactful warning simply get defined as a "normal" false positive...