cancel
Showing results for 
Search instead for 
Did you mean: 
Bubblehead
Visitor

Why am I seeing a "We've detected an insecure login form." notice on a secure site?

Again... Is there any fix coming for this message other than disabling it? I'm getting the message on sites I know are secure; I would think LastPass also knows they are secure. I realize there are other posts on this topic, the latest being 09/2020. However, I want to bump the topic because it is a flaw in LastPass that I would like to see fixed one and for all.

1 ACCEPTED SOLUTION

Accepted Solutions
RachelO
Retired GoTo Contributor

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

Hello,

 

This is a preference that can be enabled or disabled following these steps:

  1. In your web browser toolbar, click the LastPass icon
  2. Go to Account Options > Extension Preferences.
  3. Click Advanced and enable or disable the setting Warn before filling insecure forms.
  4. Click Save.

While our developers don't currently have any plans to change this feature, as it is something that can be enabled or disabled, I have passed your feedback along to our development team for consideration in futures updates.




RachelO is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudos!

View solution in original post

Tags (1)
11 REPLIES 11
RachelO
Retired GoTo Contributor

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

Hello,

 

This is a preference that can be enabled or disabled following these steps:

  1. In your web browser toolbar, click the LastPass icon
  2. Go to Account Options > Extension Preferences.
  3. Click Advanced and enable or disable the setting Warn before filling insecure forms.
  4. Click Save.

While our developers don't currently have any plans to change this feature, as it is something that can be enabled or disabled, I have passed your feedback along to our development team for consideration in futures updates.




RachelO is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudos!
Tags (1)
ChasPro
New Contributor

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

This response needs to explain how a secure website (using https) can still have an insecure form ... or there is a bug in the system that needs to be resolved. Even IF I think the site should be trusted, the fact that LastPass is warning me should be heeded, right?

 

It's not a "feature" if it inaccurately warns users of something so serious.  Please explain how both a secure site and an insecure form can exist at the same time if it is in fact possible.

RachelO
Retired GoTo Contributor

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

Hi @ChasPro,

 

LastPass will display this warning message if your LastPass extension Preferences are enabled to warn before autofilling on a form that is not secure. This means that the website you are visiting uses an insecure method to submit data (LastPass specifically looks for GET and mailto: methods on the page). The website may be considered secure by the check done by most browsers, but if the site uses an insecure method to submit data via forms this is why you would see that message.

 

ref: https://support.logmeininc.com/lastpass/help/why-am-i-seeing-the-message-lastpass-has-detected-a-log...




RachelO is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudos!
ChasPro
New Contributor

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

More details are needed. How is it that a secure connection, using https, which encrypts the transmission from the browser to the receiving server, can at the same time perform an insecure submission? It is simply illogical. What technical distinction am I missing?

Additionally, the original post and other posts suggest the warning is sometimes incorrect.

Can we hear from an engineer that can clarify the situation ... because, "you can turn it off if you like" is a poor approach to simply ignoring a real security issue. Seems like "turning off the warning" was put in as a feature due to its inaccuracies. Let's tighten up the ship here ... because either LastPass is wrong or many many many common sites including major banks don't know they have a huge problem.
Tags (1)
jpenny84
Respected Contributor

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

This feature has always been prone to false positives, which is why it's disabled by default. The old forums are gone, but there have been complaints about it dating back over the past decade.

 

Your only options are to either accept the issue and suppress any notifications on trusted sites, or disable the feature entirely. 

 

 

JN1
New Member

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

Fully agree with this comment. Just turning off a warning is not a solution if you do not understand the implications. Can LastPass please comment on exactly what the issue is and why it happens with so many sites? Very surprised this hasn't been hopped on quickly - its a major security concern.

AppResearcher
New Member

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

As a developer researching this issue for a company, here's my 2 cents...

  • Our site is only https.
  • We use pre-compiled angular builds
  • We have a modal dialog box served up natively that is producing this warning

Given your previous stated facts, you say that your code looks for "GET" or "mailto" before throwing this error. In combing through our pre-compiled code (a modest 300 lines or so), there is only one external call, which is a post and should conform to your requirements. However, the word "get" appears nine times. Most of them are as a substr within a function name, such as "getMeThisFoo()", and others, it is part of a standard function for an industry object, such as this.myGroup.get('elementID').setValue(myString). None of these are security issues. I would suggest your developers first find the substr('get') and then check to see if it's part of an actual http protocol call, such as substr('http.get('http://someURL.com')). Simply throwing this error due to a substr match will make websites that are indeed making valid attempts to BE secure look as if they are not, which will lose reputation points for your product. Lastly, just to be thorough, the page that pops this modal does do an http.get to a news site for news items, but that has nothing to do with this modal dialog box. That is just their "get news" method and does not reflect on the security of this page, as in "no parameters" are being passed in the clear in that get, and that memory space is not even available to the modal. Just in case your plugin looks at ALL code, it shouldn't. Again, this would impact reputation. This is likely the cause of the "false positives" as your engineer stated here, but if this is correct, they are not actually false... they are just reporting the positive of the 'get' substring existence without likely any further context checking.

RainbowKid
Active Contributor

Re: Why am I seeing a "We've detected an insecure login form." notice on a secure site?

Many times you will get a message like that if the log in is on a company's main web page that is not https.  Check the address bar for the web page for the business if it shows "http" instead of "https" that's probably the reason and you should probably contact the company and let them know they should have their log in on a secure page.

pWishh
Active Contributor

Re: We've detected an insecure login form. Are you sure you want LastPass to fill the insecure form?

AppResearcher explains the problem perfectly. Lastpass still needs to address this... It doesn't make sense how such a massively impactful warning simply get defined as a "normal" false positive...