New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 905718 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Nov 30
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug
Team-Security-UX



Sign in to add a comment

payment check enabled by default

Reported by sumanman...@gmail.com, Nov 15

Issue description

VULNERABILITY DETAILS
In google chrome, by default the option "Allow sites to check if you have payment methods saved" is enabled. I think this is a bug and a security issue.

VERSION
Chrome Version:Version 70.0.3538.102 (Official Build) (32-bit)
Operating System: Windows 10

REPRODUCTION CASE
Make a clean installation of Chrome and check the flag in the settings

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
N.A

CREDIT INFORMATION
Reporter credit: sumanmanuel@gmail.com


 
Cc: rouslan@chromium.org zkoch@chromium.org
Components: Internals>Permissions>Model UI>Browser>Payments Privacy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: payment check enabled by default (was: Security: payment check enabled by default)
This string/option [1] controls whether a site can check the CanMakePaymentEvent [2]. AFAIK it only exposes a set of which payment method _types_ the user agent currently supports, not any personal details beyond that. (But I'm not an expert on the spec or the implementation in Chrome.)

The PaymentHandler API spec says that user agents must allow users to disable this [3], which is the behavior Chrome follows.

Reporter: What information did this expose in your testing that you think is particularly sensitive? If it is implemented in the way I understand it, this does not seem like a security issue. Adding Privacy and Permissions components so that those teams can triage this further to decide if we want to change this behavior.

Also cc'ing zkoch@ who IIRC was PM for these features and rouslan@ who knows more about payments stuff.

[1] https://cs.chromium.org/chromium/src/components/payments_strings.grdp?q=%22Allow+sites+to+check+if+you+have+payment+methods+saved%22&sq=package:chromium&g=0&l=387
[2] https://w3c.github.io/payment-handler/#dom-canmakepaymentevent
[3] https://w3c.github.io/payment-handler/#information-about-the-user-environment
Cc: durgapandey@chromium.org gogerald@chromium.org
This is intentional and is by design. Not sure there's anything to do for this bug report? +durgapandey@, +gogerald@.
Thank you for the quick response. I think this option should be disabled by default and only enabled if a user requires.
If i am not wrong, accessing the payment details without the known consent of the user is a security fault.
Re comment #3: I think there is some confusion about "payment details" (cc #s, addresses, etc.) vs. "available payment methods" (do you have a payment handler that can do CC#? Internet Payment Vendor XYZ? etc.). This default-allowed permission only gives details about the later, not the former.

Notably, this does _not_ expose data from autofill. PaymentHandler/PaymentRequest actually _reduces_ the amount of personal data that is sent to the initiating site (as it allows the site to directly request a payment be processed by a separate handler).
Cc: vamshi.kommuri@chromium.org
Labels: Needs-Feedback Triaged-ET
As per comment#4, requesting reporter to respond back on it. Hence adding Needs-Feedback label.

Thanks!
Labels: Needs-Triage-M70
Status: WontFix (was: Unconfirmed)
As mentioned above this is working as intended. The only information is that is exposed is whether the user is able to make a payment with a specific payment method. This was not seen as too much of a privacy issue, so there is only an opt-out.

Sign in to add a comment