Issue metadata
Sign in to add a comment
|
Security: Debit card number can be retrieved from Android Chrome's automatic field filler.
Reported by
rzrbenk...@gmail.com,
Sep 18 2017
|
||||||||||||||||||||||
Issue descriptionWhen using the latest (60.0.3112.107) Chrome for Android, the number of the saved debit cards can be easily retrieved in less than 1 minute. As shown on the attached picture, suggestion for the use of the saved card does not disappear, if the numbers typed in are for the card. This can be a good feature but can be a vulnerability, since the card number should be stored as securely as a password. I'd recommend to make autocomplete suggestions to work like as they do with passwords (suggestion disappears when starting to type manually in the formfield) or the suggestion should just disappear when the last 4 (and public) numbers are mismatching. This way, card numbers cannot be stolen by guessing bruteforce.
,
Sep 18 2017
It's easier than that; you can simply allow the form to fill, then steal the number from the DOM using Javascript. Masking of sensitive data like passwords and credit card numbers is a mitigation for "over-the-shoulder" reveals, it does not protect against an attacker who has physical control of the device. See https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools for the equivalent discussion of password masking.
,
Sep 18 2017
,
Dec 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rzrbenk...@gmail.com
, Sep 18 2017242 KB
242 KB View Download