VULNERABILITY DETAILS
When entering credit/debit card details on a webpage (Netflix, Amazon etc.), it is possible for a user at your computer to extract the full credit card number despite its obfuscated appearance as Visa....xxxx. Even though only the last 4 digits are visible, the user can obtain the remaining digits. This is because the dropdown menu with the saved card numbers stays on screen as long as the text entered in the box is a substring of the card number. 
To showcase the bug, I added a card with the number 1234123412341234 to my autofill list. Now, on the Netflix payment details page, if I enter any substring of my card number, the obfuscated card shows up in the dropdown menu. The card stays in the dropdown menu as long as the text I keep entering in the textbox is a substring of the card number.
EXAMPLE:
1) Textbox is empty. No dropdown menu of cards (See 1.jpg).
2) I enter the number "2" in the textbox. My card shows up as Card...1234 in the dropdown menu since "2" is a substring of "1234123412341234"(See 2.jpg).
3) Now, if I enter the number "3", the dropdown menu stays on screen since "23" is still a substring of the card number (See 3.jpg). If I enter any number other than 3, the dropdown menu disappears (See 4.jpg). Now, I know that the card number contains "23".
4) Now all I need to do is try numbers from 0..9 to see when the dropdown menu stays on screen (See 5.jpg). This way, it is possible to extract the whole card number even though the dropdown menu only shows Card....1234. 
5) When no additional entry from 0..9 produces the dropdown menu, I know that I've reached the end of the card number. Now, I can start from the beginning and try numbers to find the beginning of the card number and paste the end substring on to see if the dropdown menu still works.

I also successfully reproduced this bug on Amazon's payment details page and I'm sure it can be replicated for any textbox.

This bug is simple and easy to reproduce but can cause a lot of issues if an unauthorized person gains access to your card number, especially since a lot of EFTPOS systems don't require a CVV. 

VERSION
Chrome Version: [63.0.3239.132] + [stable]
Operating System: [Windows 10, Version 1703, OS Build 15063.850]

REPRODUCTION CASE
See attached images.

Security_Severity Low-Medium
Security_Impact Low-Medium


 

Deleted: 1.jpg 119 KB

	1.jpg 119 KB View Download

Deleted: 2.jpg 121 KB

	2.jpg 121 KB View Download

Deleted: 3.jpg 119 KB

	3.jpg 119 KB View Download

Deleted: 4.jpg 122 KB

	4.jpg 122 KB View Download

Deleted: 5.jpg 122 KB

	5.jpg 122 KB View Download