New issue
Advanced search Search tips

Issue 766075 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 595599
Owner: ----
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Debit card number can be retrieved from Android Chrome's automatic field filler.

Reported by rzrbenk...@gmail.com, Sep 18 2017

Issue description

When using the latest (60.0.3112.107) Chrome for Android, the number of the saved debit cards can be easily retrieved in less than 1 minute.

As shown on the attached picture, suggestion for the use of the saved card does not disappear, if the numbers typed in are for the card.

This can be a good feature but can be a vulnerability, since the card number should be stored as securely as a password.

I'd recommend to make autocomplete suggestions to work like as they do with passwords (suggestion disappears when starting to type manually in the formfield) or the suggestion should just disappear when the last 4 (and public) numbers are mismatching.

This way, card numbers cannot be stolen by guessing bruteforce.

 
21875713_1661656907178753_1190677617_o.png
200 KB View Download
21868158_1661664460511331_1961921859_o.png
242 KB View Download
Mergedinto: 595599
Status: Duplicate (was: Unconfirmed)
It's easier than that; you can simply allow the form to fill, then steal the number from the DOM using Javascript. Masking of sensitive data like passwords and credit card numbers is a mitigation for "over-the-shoulder" reveals, it does not protect against an attacker who has physical control of the device.

See https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools for the equivalent discussion of password masking.
Components: UI>Browser>Autofill
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 26 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment