Closed
Bug 207479
Opened 21 years ago
Closed 21 years ago
form autocomplete saves credit card numbers
Categories
(Firefox :: Address Bar, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 188285
People
(Reporter: rathga, Assigned: hewitt)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6
When filling in credit card information on a secure website, the browser
attempts to autocomplete the credit card number. Surely storing credit card
numbers in autocomplete files is a security risk?
Reproducible: Always
Steps to Reproduce:
1. Go to a web shop
2. Enter your details and buy something
3. Try buying something else, the credit card field will autocomplete.
Actual Results:
Credit card number stored
Expected Results:
Ignored credit card numbers (16 digits) when filling out forms for the purposes
of autocomplete.
Comment 1•21 years ago
|
||
The Form Manager even has a dedicated field for entering your Credit Card
number, so this seems to be by intention. You don't have to use this feature...
when filling in forms you also have the choice whether or not to remember the
values, don't you?
Comment 2•21 years ago
|
||
It should be noted that while comment 1 is true, the reporter is using Firebird
-- which has a bug where you cannot disable form autocomplete in present builds
(bug 199819).
Comment 3•21 years ago
|
||
I think that autocomplete="off" in form-tag should also work in Firebird like it
works in IE. This is very useful and critical feature for example in banking
applications. And it should be possible for service providers to disable Form
manager and not leave it for customers.
It doesn't work in:
Mozilla Firebird 0.6
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030714 Mozilla
Firebird/0.6
But works in:
Mozilla 1.4
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
Comment 4•21 years ago
|
||
-> firebird product per latest comment
Assignee: dveditz → hewitt
Component: Form Manager → Autocomplete
Product: Browser → Firebird
QA Contact: tpreston → asa
Version: Trunk → unspecified
Comment 5•21 years ago
|
||
I'v also seen this behaviour with Mozilla Firebird 0.6, and consider it to be a
bug. I don't think it should be wontfixed like bug #188285 was.
Perhaps there shouldn't be autocomplete on secure pages, or perhaps Jesse's
comment from that bug should be given more thought:
Comment #1 From Jesse Ruderman 2003-01-08 23:17
Phoenix could avoid storing strings in form autocomplete when:
1. The string contains only digits, spaces, and hyphens. (This would also catch
US social security numbers, bug numbers, and sometimes telephone numbers.)
2. The string contains only digits, spaces, and hyphens, contains 16 or more
digits, and the first 16 digits validate against a public credit card number
validation algorithm. (Most 16-digit strings are not valid credit card numbers.)
See also bug #46590, "insecure submit of credit card # should warn user even if
insecure submit warning turned off".
Comment 6•21 years ago
|
||
form autocomplete currently won't disable on Firebird. Its a known issue and
will be fixed. This is a dupe of 188285, and simply opening a new bug with the
same issue doesn't change the decision to WONTFIX the previous bug.
*** This bug has been marked as a duplicate of 188285 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•