Closed Bug 207479 Opened 21 years ago Closed 21 years ago

form autocomplete saves credit card numbers


(Firefox :: Address Bar, defect)

Windows XP
Not set





(Reporter: rathga, Assigned: hewitt)


User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6

When filling in credit card information on a secure website, the browser
attempts to autocomplete the credit card number.  Surely storing credit card
numbers in autocomplete files is a security risk?  

Reproducible: Always

Steps to Reproduce:
1. Go to a web shop
2. Enter your details and buy something
3. Try buying something else, the credit card field will autocomplete.

Actual Results:  
Credit card number stored

Expected Results:  
Ignored credit card numbers (16 digits) when filling out forms for the purposes
of autocomplete.
The Form Manager even has a dedicated field for entering your Credit Card
number, so this seems to be by intention. You don't have to use this feature...
when filling in forms you also have the choice whether or not to remember the
values, don't you?
It should be noted that while comment 1 is true, the reporter is using Firebird
-- which has a bug where you cannot disable form autocomplete in present builds
(bug 199819).
I think that autocomplete="off" in form-tag should also work in Firebird like it
works in IE. This is very useful and critical feature for example in banking
applications. And it should be possible for service providers to disable Form
manager and not leave it for customers.

It doesn't work in:
Mozilla Firebird 0.6
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030714 Mozilla

But works in:
Mozilla 1.4
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
-> firebird product per latest comment
Assignee: dveditz → hewitt
Component: Form Manager → Autocomplete
Product: Browser → Firebird
QA Contact: tpreston → asa
Version: Trunk → unspecified
I'v also seen this behaviour with Mozilla Firebird 0.6, and consider it to be a
bug. I don't think it should be wontfixed like bug #188285 was.

Perhaps there shouldn't be autocomplete on secure pages, or perhaps Jesse's
comment from that bug should be given more thought:

Comment #1 From Jesse Ruderman  2003-01-08 23:17

Phoenix could avoid storing strings in form autocomplete when:

1. The string contains only digits, spaces, and hyphens.  (This would also catch
US social security numbers, bug numbers, and sometimes telephone numbers.)

2. The string contains only digits, spaces, and hyphens, contains 16 or more
digits, and the first 16 digits validate against a public credit card number
validation algorithm.  (Most 16-digit strings are not valid credit card numbers.)

See also bug #46590, "insecure submit of credit card # should warn user even if
insecure submit warning turned off".
form autocomplete currently won't disable on Firebird.  Its a known issue and
will be fixed.  This is a dupe of 188285, and simply opening a new bug with the
same issue doesn't change the decision to WONTFIX the previous bug.

*** This bug has been marked as a duplicate of 188285 ***
Closed: 21 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.