New issue
Advanced search Search tips

Issue 595599 link

Starred by 5 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Mar 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Potential security issue with credit card pre-fill in Chrome

Reported by adrian.h...@gmail.com, Mar 17 2016

Issue description

VULNERABILITY DETAILS
I just thought I should notify someone of what I see as potentially being a bit of an issue with stored credit card details in Chrome.

If someone gets access to your computer and attempts to buy something with a credit card online, they can find out your credit card number by a process of elimination. 

How?

Because the option to use the stored credit card details will appear as long as you are typing a credit card number stored in the browser.

For example: a credit card number stored in Chrome is 1234 5678 9012 3456. User types 1234 and the prefill option appears above the field with the partial credit card number shown. The user can start guessing the next digit. If they enter 1234 1, the prefill will disappear, so they know that "1" is not the correct next digit. Once they type 1234 5, the prefill appears again, so they know they are on track. This will work all the way to the end, and is quite easy since the prefill will show the last four digits anyway.

I haven't fully tested this from first digit to last, but I've tested from about the 5th digit all the way to the end using the above method.

This only gives you the credit card number, and doesn't allow you to guess the expiry and CVV, but it still struck me as a potential issue I should let someone know about.


VERSION
Chrome Version: 48.0.2564.116 (64-bit)
Operating System: OSX 10.10.4

REPRODUCTION CASE
-See above, needs to be on an applicable page using online payments by credit card, and a credit card needs to already be saved in the browser for the user who is currently logged in to Chrome.
 

Comment 1 by mea...@chromium.org, Mar 18 2016

Status: WontFix (was: Unconfirmed)
Thanks for the report.

> If someone gets access to your computer and attempts to buy something with a credit card online, they can find out your credit card number by a process of elimination. 

This scenario requires physical access to the computer and is outside our threat model. Please see  https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- for details.

I'm marking as WontFix for now, please let us know if you can still leak information without physical access (e.g. by having the user visit an attacker website)
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 24 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
 Issue 750425  has been merged into this issue.
 Issue 766075  has been merged into this issue.
 Issue 805320  has been merged into this issue.

Sign in to add a comment