MCaspers
Posts: 1
Joined: Sun Sep 01, 2019 4:03 am
Contact: Website

Security warning on raspberrypi.org?

Wed Oct 09, 2019 2:44 am

Hi All,

Lately i'm getting a security warning about raspberrypi.org, it seems that this site is doing also something with phplist.com?
Perhaps this is cross site scripting?
Can anyone in the know confirm that this is legit, or has this website become infected with malware?
(Please note that I've done some site checks against Symantec and Trend Micro databases and these list the site as safe so it shouldn't be the latter, but I'd rather be safe than sorry and ask anyways..)

Just so you know, for me it's LastPass that is giving these security warnings.

User avatar
grega
Site Admin
Posts: 45
Joined: Thu Feb 09, 2017 4:50 pm

Re: Security warning on raspberrypi.org?

Wed Oct 09, 2019 9:29 am

Thanks for the note, I'll try to explain what's happening here...

When LastPass fills in the forum login form it inserts the username into the `username` field as below:
Screenshot 2019-10-09 at 10.27.53.png
Screenshot 2019-10-09 at 10.27.53.png (141.98 KiB) Viewed 335 times

At the bottom of the page, you'll see there's a newsletter sign up form - this uses a service called phpList (it's what's used for the Pi Weekly emails). This form contains an `email` input.
Screenshot 2019-10-09 at 10.14.25.png
Screenshot 2019-10-09 at 10.14.25.png (230.13 KiB) Viewed 335 times

Since login forms often contain either a `username` or an `email` input (and the two can be used somewhat interchangeably), LastPass is automatically filling in this `email` field with your username at the same time as filling in the login form, the assumption being that this may be part of the login form.

When the login form is submitted, pre-filled by LastPass, LastPass detects that another form has information in it filled in by LastPass (the newsletter form) and it then presents you with the following warning:
Screenshot 2019-10-09 at 10.13.58.png
Screenshot 2019-10-09 at 10.13.58.png (86.02 KiB) Viewed 335 times

Somewhat ironic since it was of course LastPass which filled in this form (unnecessarily) in the first place!

The phpList form never gets submitted upon log in, and it only ever contains your username (not your password), so it is seemingly safe to ignore. However it may be preferable to see if LastPass can be configured to not blindly fill in any matching inputs in the page that aren't part of the login form itself. Unfortunately we can't rename the phpList form's `email` field to anything else, because it's a required field!

Hope that helps clarify.

User avatar
DougieLawson
Posts: 36578
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Security warning on raspberrypi.org?

Wed Oct 09, 2019 5:02 pm

You should probably take your false positive alert to the folks that support Lastpass.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
Roken
Posts: 310
Joined: Sun Dec 31, 2017 4:35 pm
Location: UK

Re: Security warning on raspberrypi.org?

Fri Oct 11, 2019 8:04 pm

I had the same, and had to add:

Code: Select all

phplist.com, raspberrypi.org
To Equivalent Domains

Though I'm going to be watching this, since I can seeing making phplist.com an equivalent possibly being a problem.
Headless PI. OMG, someone cut it's head off. Oh, hang on. it didn't have one to start with.

Return to “General discussion”