Issue metadata
Sign in to add a comment
|
Security: Access to Credit/Debit Card Numbers Saved to Chrome (for auto complete)
Reported by
laxattac...@gmail.com,
Apr 4 2016
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Many regular users save their debit/credit card information into their chrome browsers to save time on the internet. Most sites are able to obscure the saved card information at checkout so that the system cannot be abused. However a number of websites, Wordpress.com in this example, no not properly obscure the card number saved on chrome. Even if the card number is obscured on other websites, a trial and error method can be used on these sites, with chromes card suggestion to indicate when a correct number was chosen. This vulnerability would provide a user a clear and easy path to obtain any of the card details stored on the system. The card information could be used on any site that does not require a cvv( amazon) or could be used in social engineering to gather more information about the card holder. This exploit could be used physically on any system that was left logged in, which is common practice for many users. In addition, this vulnerability could be used remotely on computers that have been infected with malware. Although in both of these cases the computer is already compromised, the vulnerability provides a direct path to card information; this will make the system compromise even more dangerous. This problem could be fixed by having the suggested card number display after 4 digits have been entered. This would slow down the trial and error method of obtaining the card number. In addition the procedure for when the card number is given to the site could be altered so that the user would not get access to card information when using the auto complete service. VERSION Chrome Version: 49.0.2623.87 m stable Operating System: Windows 7 REPRODUCTION CASE Steps to reproduce: 1. Log onto a chrome account with debt/credit card details saved 2. Proceed to check out any product that costs money 3.At check when entering a card number the site is able to populate the entire card number from selecting any of the saved cards Can also be done through trial and error on sites that do not display the entire card number. To do this one could guess random numbers with the auto complete option popping up when the number chosen was correct.
,
Apr 4 2016
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, Apr 4 2016