Autofill offers Credit Card Info for inappropriate field in Google Forms
Reported by
jacenrko...@gmail.com,
Mar 10 2017
|
||||
Issue descriptionNOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS When filling out a Form from Drive, Chrome Auto-fill attempted to enter a visa credit card number. It only seems to occur on text inputs starting with "Vis" VERSION Chrome Version: 56.0.2924.87 Operating System: Android 7.1.1 REPRODUCTION CASE It appears to be triggered by a text input in a field with the title starting with "Vis". I could only replicate in Chrom on Android. Only Does not happen in Desktop Chrome in Windows. I do not have the means to test iOS or Mac. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION N/A
,
Mar 10 2017
https://docs.google.com/forms/d/e/1FAIpQLSc0Gx602_tVRqVxhafKhGEaNjzZBVhq9eje8gSQ_NakJFJjtA/viewform?usp=sf_link Thank you for your time and consideration in this matter, Very respectfully, Jacen R Kohler
,
Mar 10 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 10 2017
Thanks! Confirmed in Chrome 59.0.3037.0. The element markup is: <input type="text" class="quantumWizTextinputPaperinputInput exportInput" jsname="YPqjbf" autocomplete="off" tabindex="0" aria-label="Visceral Fat Level" aria-describedby="i.desc.80550910 i.err.80550910" name="entry.1651564356" value="" dir="auto" data-initial-dir="auto" data-initial-value="" aria-invalid="false" badinput="false">
,
Mar 10 2017
The heuristics are treating this field as a credit card expiration year field. Its attributes don't /appear/ to match anything in kExpirationYearRe though.
,
Mar 17 2017
Re comment #6: Can you elaborate on what you mean by "Getting worse"? If you mean that the picker is showing more than one card, that's probably expected; the offered cards are based on what you've typed into the field so far. If a page had a field with an autocomplete value of cc-num, yes, Chrome would offer to fill a credit card number.
,
Mar 17 2017
Yes, that's what I mean. I haven't entered any new cards, so why would it now show 3 instead of just the 1?
,
Mar 17 2017
In your now-deleted screenshot from the original repro, you had typed "18" into the edit field. My expectation is that neither of the Mastercards shown in your screenshot in Comment #6 contains the sequence "18" and as a consequence they were hidden in the original but appear now because the text box is blank.
,
Mar 20 2017
ok, so what needs to happen now?
,
Mar 20 2017
The owners of the Autofill heuristics module will evaluate the issue and potentially change Chrome to better recognize that these fields do not belong to a credit card form. (HTML page authors may be able to avoid problems like this by setting appropriate |autocomplete| attribute information on the <input> element).
,
Jan 11
Issue has a component, but no priority. Updating to have default priority (Pri-2) |
||||
►
Sign in to add a comment |
||||
Comment 1 by elawrence@chromium.org
, Mar 10 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback Type-Bug
Summary: Autofill offers Credit Card Info for inappropriate field in Google Forms (was: Security: Autofill puts Credit Card Info into Forms)