https://chromium-review.googlesource.com/c/504787/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/416588f2ea472b4f9273cbd0e40c1d18f71d1cba

commit 416588f2ea472b4f9273cbd0e40c1d18f71d1cba
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Mon May 15 17:04:54 2017

Prevent screenshots of the card editor views.

Before this patch, users could take screenshots of the local credit card
editor views, which show the full card number in plain text. (Chrome
does not show the full number of the server cards.)

This patch adds a FLAG_SECURE to the window of the local card editors
for PaymentRequest and autofill. The flag is added for Chrome Beta and
Stable builds to protect regular users. Dev, Canary, and developer
builds do not have the FLAG_SECURE set.

After this patch, users cannot take screenshots of the local card
editor views in Chrome Beta and Stable.

Bug:  721579 
Change-Id: I82dcd7c83cec85fb3f8dd58aa7ab25c2826641d0
Reviewed-on: https://chromium-review.googlesource.com/504787
Reviewed-by: Ted Choc <tedchoc@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#471807}
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/EditorView.java
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/PaymentRequestUI.java
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/preferences/autofill/AutofillLocalCardEditor.java

Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ad491fdca26232f4edc8120121859209ebc5a0a

commit 0ad491fdca26232f4edc8120121859209ebc5a0a
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Mon May 15 18:53:52 2017

[Merge M-59] Prevent screenshots of the card editor views.

Before this patch, users could take screenshots of the local credit card
editor views, which show the full card number in plain text. (Chrome
does not show the full number of the server cards.)

This patch adds a FLAG_SECURE to the window of the local card editors
for PaymentRequest and autofill. The flag is added for Chrome Beta and
Stable builds to protect regular users. Dev, Canary, and developer
builds do not have the FLAG_SECURE set.

After this patch, users cannot take screenshots of the local card
editor views in Chrome Beta and Stable.

TBR=rouslan@chromium.org

(cherry picked from commit 416588f2ea472b4f9273cbd0e40c1d18f71d1cba)

Bug:  721579 
Change-Id: I82dcd7c83cec85fb3f8dd58aa7ab25c2826641d0
Reviewed-on: https://chromium-review.googlesource.com/504787
Reviewed-by: Ted Choc <tedchoc@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#471807}
Reviewed-on: https://chromium-review.googlesource.com/505531
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/branch-heads/3071@{#559}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/EditorView.java
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/PaymentRequestUI.java
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/preferences/autofill/AutofillLocalCardEditor.java

Hi - is this bug eligible for the Chrome Rewards program?

Thanks for your report. We'll consider your report under the Chrome Reward Program for a security cash reward - full details here: https://www.google.com/about/appsecurity/chrome-rewards/

We'll update you once we have a decision. Feel free to check in with me in a few weeks if you haven't heard back, either by updating this bug or reaching out to me at rouslan@chromium.org.

I'm afraid the VRP panel decided not to reward for this. Many thanks for the report, and while we did some hardening, the panel didn't believe this is inside our threat model.

Hi - at what point can we publicly disclose this? It looks like it got published in the changelog:
https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html

Thanks

Go ahead with the public disclosure, if you wish.

Thank you.

We published on this:
http://wwws.nightwatchcybersecurity.com/2017/07/27/chrome-for-android-didnt-use-flag_secure-for-credit-card-prefill-settings-cve-2017-5082/

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot