New issue
Advanced search Search tips

Issue 750425 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 595599
Owner: ----
Closed: Jul 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Discovering credit card number through Chrome autocomplete

Reported by hunterda...@gmail.com, Jul 29 2017

Issue description

VULNERABILITY DETAILS
User with access to our device on which we have saved credit card details can easily discover its number.

VERSION
Chrome Version: [59.0.3071.125] + [stable]
Operating System: Android 7.0

REPRODUCTION CASE
Having a phone with saved payment card data in chrome, you can easily discover it number. All we need is an HTML form with a text box labeled autocomplete="cc-number".
Assume our card number is 370141735165858. We enter the first number of from 0 to 9, waiting for the autocompletion box to appear. If it appears we know that this number exists is in the number of our card. We entered 0 we came up with a popup window. This means that this number occurs in our card. We enter the second number 0 - nothing, 1 pops up the autocompletion window. This means that string 01 occurs in our credit card number. We enter third number. 0 nothing, 1 nothing, 2 nothing, 3 nothing, 4 a window pops up. We continue until the very end of our credit card number. Additionally we know last 4 card numbers from pop up window. This allows us to determine where we find the string we have guessed. Usinh method as described above, we get to 0141735165858. We are missing the first two numbers, but we can easily guess them useing method as described above (0-9). The entire process is much faster if we correctly guess or know the first few credit card numbers. Of course to use a credit card we still need a CVV / CVV2 code. However, we may know it from another source or guess it. I also checked this on the desktop chrome, but there, after entering a few digits, the autocomplete window disappears.
 
Components: UI>Browser>Autofill
Status: WontFix (was: Unconfirmed)
It's easier than that; you can simply allow the form to fill, then steal the number from the DOM using Javascript. Masking of sensitive data like passwords and credit card numbers is a mitigation for "over-the-shoulder" reveals, it does not protect against an attacker who has physical control of the device.

See https://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools- for the equivalent discussion of password masking.
Mergedinto: 595599
Status: Duplicate (was: WontFix)
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 5 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment