Questionable testimonials on docs.pipenv.org #4671
Comments
|
Hmm, we’ve moved our documentation to pipenv.pypa.io instead (#4167), and I’m not even sure who owns the pipenv.org domain now. @pypa/pipenv-committers Anyone knows? We should do something about this. |
uranusjr
added
Priority: Critical
|
Wow, this is a creative use of an expired domain. I let pipenv.org expire, as it appeared few people used it, as opposed to the pypa site |
|
So that’s a fake website at this point. Anyone knows what we can do here? |
|
Well, if nobody friendly owns the domain name, then I guess the right thing to do is submit https://safebrowsing.google.com/safebrowsing/report_general/ |
|
👍 I’ve submitted a report with a link to this thread. |
|
https://docs.pipenv.org/ now appearing as unsafe in Chrome, "security certificate expired 94 days ago" |
|
That's because the scammer's servers are using a Let's Encrypt TLS certificate that is expired. I don't think anything prevents the scammer from renewing their certificate. |
|
FYI I found myself at the scam docs link via https://rootnroll.com/d/pipenv/ - which is currently linked from the front page of the real docs. I've opened a PR to fix that (linked above), but if it doesn't get merged, you may want to rethink referencing that page. Edit: Now fixed 🎉 |
Issue description
https://docs.pipenv.org has five testimonials under the Testimonials header, and the first two testimonials contain hyperlinks to casual sex apps. To be clear, I am not making a moral judgement and if these apps are legitimate Pipenv consumers, feel free to close my issue as WONTFIX.
However, these testimonials' wording and hyperlinks make them look like spam. It also appears that these sex-related testimonials have not been checked into Git, which suggests that someone has tampered with the docs.pipenv.org deployment process.
A few of my friends have confirmed that they see the suspicious testimonials too, which suggests that the testimonials are not being inserted by malware local to my machines.
Steps to replicate
Visit https://docs.pipenv.org/
In case you cannot see what I can see, I have recorded a screenshot and the underlying HTML of the suspicious testimonials. The highlighting in the screenshot is mine.
Finally, my apologies if I should have sent this to a
security@email address. I was not sure where to submit this issue.The text was updated successfully, but these errors were encountered: