Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Another W3C API exposing users to browser snitching

Web Payments API bugs, or perhaps features, can be abused: Lukasz Olejnik

Richard Chirgwin Fri 6 Oct 2017  //  00:56 UTC

Yet another W3C API can be turned against the user, privacy boffin Lukasz Olejnik has warned – this time, it's in how browsers store and check credit card data.

As is so often the case, a feature created for convenience can be abused in implementation. To save users from the tedious task of entering the 16 characters of their credit card numbers, four for date, and three for CCV number, the Web Payments API lets Websites pull numbers stored in browsers.

Olejnik, security and privacy researcher, writes that even without a full privacy assessment, it was easy to discover some serious vectors for misuse: fingerprinting, a frequent interest of Olejnik's; and in Chrome, he found a way to reliably detect users in “incognito” mode, “a thing that generally should not be possible”.

Web Payments API is supported in Chrome and Edge, and is on the real-soon-now list in Firefox and WebKit.

The fingerprinting he discovered is quite specific: a site can detect which different cards the user may have stored. That's because while the API tries to prevent against enumeration attacks by rate-limiting the canMakePayment call (to once every 30 seconds), that's inefficiently applied:

“A website could simply use a bunch of iframes with scripts effectively running in different origins, meaning that the 30m quota is functionally irrelevant … one iframe could test for “visa”, another for “mastercard”, etc. At the end, iframes communicate test results to the parent frame.”

The result, he writes, is that iframes could capture all the payment instruments available to an individual user.

The second issue, incognito detection, arises because incognito mode skips a rule applied to normal attempts at payment.

The vector for abuse arose, perhaps ironically, because the API's designers wanted to protect users from sites that might scam them by calling payments from multiple stored cards.

So the canMakePayment call can only be used once by a site requesting payment: a second call raises the exception NotAllowedError: Not allowed to check whether can make payment.

The slip-up is that when Olejnik tested this in Chrome, he found it didn't work properly in Incognito mode. If a user had stored values for MasterCard and Visa, for example, the second call to the API returns a “true” value for both cards.

It would, he wrote, behave like that for all the cards a user stored, turning “a fingerprinting vector into an information leak!”.

Olejnik noted that he reported the issue to the Chrome team here. ®
Send us news
10 Comments

Chrome Enterprise Premium promises extra security – for a fee

Paying for browsers is no longer a memory from the 1990s

Google bakes new cookie strategy that will leave crooks with a bad taste

Device Bound Session Credentials said to render cookie theft useless

Chrome for Windows-Arm laptops officially lands in time for Snapdragon X Elite kit

At last, no more crappy emulation or experimental builds

Firefox 124 brings more slick moves for Mac and Android

And you now get keyboard navigation in the built-in PDF reader

Microsoft defends barging in on Chrome with pop-up ads pushing Bing, GPT-4

We thought you people wanted choice, IT colossus sniffs

Google gooses Safe Browsing with real-time protection that doesn't leak to ad giant

Rare occasion when you do want Big Tech to make a hash of it

Chrome users – get an alert when extensions are in danger of falling into wrong hands

Under New Management is an early-warning system for potential poisoning of add-ons with malware

Supermium drags Google Chrome back in time to Windows XP, Vista, and 7

If you really need obsolete OSes, here's a modern(ish) browser

Firefox 122 gets even more competitive with Chrome on translation

Plus a big change for Linux folks – native .deb packages

Mozilla CEO quits, pushes pivot to data privacy champion... but what about Firefox?

Could it have more to do with browser's ever-increasing irrelevance?

The most 2024 things to do are laying off staff and eyeing up AI – Mozilla's doing both

Firefox Mobile also getting increased attention

Worried about the impending demise of Windows 10? Google wants you to give ChromeOS Flex a try

Hello, Mr. Frying Pan, meet Mr. Fire