Closed Bug 320199 Opened 17 years ago Closed 17 years ago
Auto Complete offers to fill sensitive form data like card number on HTTPS pages on revisiting
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 When entering sensitive information on HTTPS pages, such as credit card information, it is not good for it to remember the input and offer auto-complete. I am on dialup, and lost my connection during a signup procedure with credit card details on an https page, and had to restart. FF remembered and auto-filled the card details as I started to type, including my card number and 3-digit security number. For the sake of security, it should NOT remember anything on an HTTPS page. I don't know where it is stored (on Windows, the Registry no doubt), but any hacker or script-kiddie could find it, or a person coming along after on the same computer could obtain the information if they know some basic details, like the initial letter or number in a field, or by trial and error. Reproducible: Always Steps to Reproduce: 1. Go to secure HTTPS registration page for some service 2. Fill out sensitive information, like credit card info 3. Reload the page, or use Back button in multi-step process and come back to the same page, so that the form is empty except for postdata. 4. Type the first letter or number in sensitive fields, like card number, security number, expiry date and account name. The auto-fill will offer the previous values. Actual Results: Auto-fill offers to fill in the sensitive credit card details on the HTTPS page when revisiting page. Expected Results: Nothing should be remembered/stored anywhere or offered by Auto-complete on HTTPS form pages. A potentially serious security flaw.
*** This bug has been marked as a duplicate of 188285 ***
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.