Closed Bug 207479 Opened 20 years ago Closed 20 years ago
form autocomplete saves credit card numbers
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6 When filling in credit card information on a secure website, the browser attempts to autocomplete the credit card number. Surely storing credit card numbers in autocomplete files is a security risk? Reproducible: Always Steps to Reproduce: 1. Go to a web shop 2. Enter your details and buy something 3. Try buying something else, the credit card field will autocomplete. Actual Results: Credit card number stored Expected Results: Ignored credit card numbers (16 digits) when filling out forms for the purposes of autocomplete.
The Form Manager even has a dedicated field for entering your Credit Card number, so this seems to be by intention. You don't have to use this feature... when filling in forms you also have the choice whether or not to remember the values, don't you?
It should be noted that while comment 1 is true, the reporter is using Firebird -- which has a bug where you cannot disable form autocomplete in present builds (bug 199819).
I think that autocomplete="off" in form-tag should also work in Firebird like it works in IE. This is very useful and critical feature for example in banking applications. And it should be possible for service providers to disable Form manager and not leave it for customers. It doesn't work in: Mozilla Firebird 0.6 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030714 Mozilla Firebird/0.6 But works in: Mozilla 1.4 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
-> firebird product per latest comment
Assignee: dveditz → hewitt
Component: Form Manager → Autocomplete
Product: Browser → Firebird
QA Contact: tpreston → asa
Version: Trunk → unspecified
I'v also seen this behaviour with Mozilla Firebird 0.6, and consider it to be a bug. I don't think it should be wontfixed like bug #188285 was. Perhaps there shouldn't be autocomplete on secure pages, or perhaps Jesse's comment from that bug should be given more thought: Comment #1 From Jesse Ruderman 2003-01-08 23:17 Phoenix could avoid storing strings in form autocomplete when: 1. The string contains only digits, spaces, and hyphens. (This would also catch US social security numbers, bug numbers, and sometimes telephone numbers.) 2. The string contains only digits, spaces, and hyphens, contains 16 or more digits, and the first 16 digits validate against a public credit card number validation algorithm. (Most 16-digit strings are not valid credit card numbers.) See also bug #46590, "insecure submit of credit card # should warn user even if insecure submit warning turned off".
form autocomplete currently won't disable on Firebird. Its a known issue and will be fixed. This is a dupe of 188285, and simply opening a new bug with the same issue doesn't change the decision to WONTFIX the previous bug. *** This bug has been marked as a duplicate of 188285 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.