New issue
Advanced search Search tips

Issue 704712 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

automatic credit card filling is disabled shows only when typing a correct credit card

Reported by henrikj...@gmail.com, Mar 23 2017 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
1. Find a site with a mixed security credit card form (I've used play.tv2.dk, It's in danish, but it's purchase section is http with https transport)
2. Focus on the credit card field, "automatic credit card filling is disabled" will show.
3. The text will only disappear when typing wrong digits - making it possible to find the correct credit card number.

What is the expected behavior?
Either show the text always or never - Don't make the showing of the text rely on typing the right card number/expiry date

What went wrong?
You disabled credit card filling, but made it easy to figure out anyways. (CVC however seems to be secret either way)

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: stable
OS Version: Arch Linux kernel 4.8.13
Flash Version: Shockwave Flash 22.0 r0

Comment 1 by jialiul@chromium.org, Mar 24 2017

Components: UI>Browser>Autofill>Payments
Add component label Autofill>Payments.
Autofill team please help triage this issue. Thanks!

Comment 2 by elawrence@chromium.org, Mar 24 2017 

Here's a simple test page: http://http-credit-card.badssl.com/

Chrome isn't trying to protect the credit card number from the user using Chrome-- that's outside of Chrome's threat model: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

Chrome does deliberately block the use of autofill in non-secure contexts.

It's worth mentioning that the UX behavior here has changed somewhat as of Chrome 57, which has the "Form Not Secure" behavior on by default.

Comment 3 by elawrence@chromium.org, Mar 24 2017 

Expanding upon #2, I don't think this is a security vulnerability, if the "attack" requires the user to be interactively using Chrome. That attacker could simply open chrome://settings/autofill and read the data directly.

If you've found some way for the website to "probe" the user's stored credit card information, *that* might be a security issue.

Comment 4 by jialiul@chromium.org, Mar 26 2017

Status: WontFix (was: Unconfirmed)
Thanks elawrence@!
Based on #2 and #3, close this issue as Won'tFix (Work as intended).

Comment 5 by lafo...@chromium.org, Jun 27 2017

Components: -UI>Browser>Autofill>Payments UI>Browser>Payments
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 2 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by och...@chromium.org, Feb 19 2018 

 Issue 813658  has been merged into this issue.

Sign in to add a comment