Closed Bug 508261 Opened 16 years ago Closed 16 years ago

Firefoxmay be saving complete Credit Card details in plain text

Categories

(Toolkit :: Form Manager, defect)

Product:
Toolkit
Component:
Form Manager
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 285790

People

(Reporter: rollie, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Download and install this add-on, it provides you with a GUI to easily access sqlite files (databases) https://addons.mozilla.org/en-US/firefox/addon/5817 Now if you are running Windows Vista or 7 browse to C:\Users\<UserName>\AppData\Roaming\Mozilla\Firefo x\Profiles\<RandomString>.default\formhistory.sqli te In xp it is C:\Documents and Settings\<UserName>\Application Data\Mozilla\Firefox\Profiles\<RandomString>.defau lt Hit browse & search then the search button. Now under the field 'fieldname' type in credit or cc and pick 'contains' from the drop down menu. Hit ok. Now if you have ever bought anything on the internet with your credit card chances are all the information is saved here, full name, visa number, expiry, and CSV number. Another way to check is to type in the first 4 digits of your credit card into the field 'Value' and pick 'contains from the drop down menu. Once again you will find your credit card number popping up all over the place. Now I don't think it would be very difficult at all to write a small trojan that steals these databases and uploads them, certainly a lot easier to do than setting up a keylogger that has to run for weeks. Quite an easy way to steal some ones identity. A website that suffers from this flaw (if you have save form history enabled) is www.ezyreg.sa.gov.au/ezyreg/ which is a government website, so I imagine there are hundreds of others that have been coded poorly and will cache these details. Reproducible: Always Steps to Reproduce: 1. Visit various sites that use visa credit cards such as www.ezyreg.sa.gov.au/ezyreg/ 2. Attempt to pay for something then quit out. 3. Attempt to pay again and you can see that the credit card details are saved 4. Use SQLite Manager 0.5.1 to verify that the details are in fact saved in plain text Actual Results: Credit card details including full name, credit card number, 3 digit security number, expiry date and address are saved. Expected Results: Two solutions, one being to recognise the format of a credit card number and refused to save it in the form history. Quite simple to do, theres a list of common prefixes for VISA cards, if a string contains these do not save them. Encrypt, hash or obfuscate the data so that it cannot be easily found using SQLite Manager. I realise that in fact the bug is with the websites themselves however if firefox is to be a world leading browser it should take steps (simple to implement) to avoid these issues.
Priority: -- → P1
Version: unspecified → 3.5 Branch
Component: Security → Autocomplete
Priority: P1 → --
Product: Firefox → Toolkit
QA Contact: firefox → autocomplete
Whiteboard: DUPEME
Version: 3.5 Branch → Trunk
Component: Autocomplete → Form Manager
QA Contact: autocomplete → form.manager
If you write a small trojan that runs on your system it can also install a keylogger and it will get more things like passwords. Security through obscurity doesn't help because it doesn't help to protect the data. ignoring credit card information is not quite simple as there are several different types The only solution is to encrypt all form history it with the same masterpassword that is used by the password manager -> bug 285790
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.