New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Jul 2018
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 858820: Security: Credit card information leakage in Chrome autofill

Reported by, Jun 28 2018

Issue description


Early in 2017, numerous security researches published articles relating to the information leakage within the Chrome autofill feature. The vulnerability raised within these articles related to the possibility for remote websites to harvest excessive amounts of personal information by requesting a limited amount of information from the user whilst stealing additional information in hidden (hidden from view) input form fields. The autofill feature within Chrome would populate the requested fields as well as the hidden fields thereby allowing malicious sites to harvest information the user may not be aware of including credit card information.
A mitigating control in Chrome was implemented which separated autofill information into address information and credit card information. This would limit the amount of information obtainable by malicious scripts to only harvesting that which would be deemed part of the same information set as what was originally shared by the user i.e. personal information only, or credit card information only.
This report highlights some short comings in the currently implemented solution within Chrome and how it can be used to deceive a user into submitting personal and credit card information under the pretences of auto populating a limited information set relating to their name, surname and email address.

Chrome Version: Version 67.0.3396.99 (Official Build) (64-bit) + stable
Operating System: Mac OSX 10.13.3

Attached form1
Google Chrome vulnerability disclosure.pdf
835 KB Download
2.8 KB View Download

Comment 1 by, Jun 29 2018

Components: UI>Browser>Autofill
Labels: M-68 Security_Severity-Medium Security_Impact-Stable Pri-1
Status: Assigned (was: Unconfirmed)
mathp@, can you please help to triage or find an owner.

Comment 2 by, Jun 29 2018


Comment 3 by, Jun 29 2018


Comment 4 by, Jun 29 2018

Thanks for the report. What I find really surprising is that when the user clicks on the now cc-name field, they see the cc-name without the credit card icon next to it. This seems like a bug, I'm investigating now.

Comment 5 by, Jul 2 2018


It is really misleading for the average user. For credit card data, I much prefer the Firefox "click to fill each field" method, but it is a trade of on usability.

Comment 6 by, Jul 4 2018

Status: Started (was: Assigned)
For sure. I this case we should show more clearly that a credit card field is about to be filled. Working on the fix now, Thanks for reporting.

Comment 7 by, Jul 9 2018

Project Member
The following revision refers to this bug:

commit b025e82307a8490501bb030266cd955c391abcb7
Author: sebsg <>
Date: Mon Jul 09 15:29:17 2018

[AF] Don't simplify/dedupe suggestions for (partially) filled sections.

Since Autofill does not fill field by field anymore, this simplifying
and deduping of suggestions is not useful anymore.

Bug:  858820 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-full-configs;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I36f7cfe425a0bdbf5ba7503a3d96773b405cc19b
Reviewed-by: Roger McFarlane <>
Commit-Queue: Sebastien Seguin-Gagnon <>
Cr-Commit-Position: refs/heads/master@{#573315}

Comment 8 by, Jul 9 2018

This should make it more obvious that we are now filling a credit card.

Comment 9 by, Jul 10 2018

Cool, any idea when this update will make it into a final / test release so I can check it?

Also, is this kind of issue  eligible for the bug bounty / hall of fame?

Comment 10 by, Jul 10 2018

It should be in the most recent Canary cut. Look at the version number and if it's 69.0.3487.0 the fix should be in it.

I think the whole bounty thing kicks off when the bug is fixed, but I don't know much about that. I'll check how it works otherwise.

I'll wait for you to confirm the fix as well before marking as fixed.


Comment 11 by, Jul 10 2018

Excellent, I have a canary build I will update tomorrow and validate.

Do I have to mark as fixed? If so, can you let me know how?

Appreciate it.

Comment 12 by, Jul 10 2018

I don't know if you can, so just let me know when you have tested, I can flip the state of the bug easily.

Comment 13 by, Jul 10 2018

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Setting OS labels; please correct if they're wrong.

Comment 14 by, Jul 11 2018


Checked the latest canary build. the new fix looks good. pretty obvious from a UI perspective and then it pops up with the CVC check to share credit card details as well.


Comment 15 by, Jul 11 2018

Status: Fixed (was: Started)
Thanks! The CVC check only happens for one type of card though, if the user has decided to keep a local copy of it, we won't ask for it. The rest of the UI should remain the same though.

Thanks again for filing the bug.

Comment 16 by, Jul 11 2018

+ for the reward process.

Comment 17 by, Jul 11 2018

Labels: reward-topanel

Comment 18 by, Jul 11 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 19 by, Jul 13 2018


Comment 20 by, Jul 22 2018


Just checking, is there anything else I am supposed to do one this? I see it is still tagged restrict-view.


Comment 21 by, Jul 23 2018

Hi cailan.sacks@ - I don't believe so. It'll be automatically opened up to the public 14 weeks after it's marked fixed (October 17th). We're also a little behind on brining bugs to the VRP panel, but expect an update within a couple of weeks.

Comment 22 by, Jul 23 2018

Labels: -M-68 M-69

Comment 23 by, Jul 30 2018

Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.

Comment 24 by, Jul 30 2018

Thanks for the report cailan.sacks@! The VRP panel decided to award $1,000 for this report. A member of our finance team will be in touch to arrange payment. Also, how would you like to appear in Chrome release notes?

Comment 25 by, Jul 30 2018

Labels: -reward-unpaid reward-inprocess

Comment 26 by, Jul 31 2018


Thanks, much appreciated!

Not sure if I properly understand what you mean by "how would you like to appear...", but the Google profile associated with would be fine for appearance in the release notes.


Comment 27 by, Aug 3

Project Member
Labels: Merge-Request-69

Comment 28 by, Aug 3

Project Member
Labels: -Merge-Request-69 Merge-Review-69 Hotlist-Merge-Review
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit - Your friendly Sheriffbot

Comment 29 by, Aug 3

Labels: -Hotlist-Merge-Review -Merge-Review-69
The fix was landed on M69 before the branch. There is no need to merge.

Comment 30 by, Aug 12


I have not been contacted by anyone in the finance team.

Also, just checking, will cailan.sacks@gmail.con be in the credits for the bug release?


Comment 31 by, Aug 13

Hello - sorry about that, I've just followed up with the team in question.  I currently have your credit down as just "Cailan Sacks" - let me know if you'd like that changed.

Comment 32 by, Aug 13

Cool, thanks. All sorted

Comment 33 by, Aug 16

Labels: Release-0-M69

Comment 34 by, Sep 4

Labels: CVE-2018-16078 CVE_description-missing

Comment 35 by, Oct 17

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 36 by, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment