Is it safe to auto-fill credit card numbers using Chrome?

  • Is it safe to auto fill credit card numbers using Chrome? Does it safely store the credit card information? As far as my understanding goes, it just shows asterisk values but on click it reveals the credit card numbers:

    enter image description here

    My questions are a few :

    1. Is it possible for to breach Google Chrome and take my credit card information?

    2. As per my understanding the credit card number is not stored with any type of encryption, so is it really secure to store in autofill data?

    How does Chrome handles this type of data? I agree it's good in terms of usability to store and fill the credit card details, but I doubt its not good in terms of security.

    You can enable client side encryption in Chrome by setting a password in your sync options. That will secure the password on transit and on the server. Still vulnerable on the client.

    I would be concerned about what conditions trigger auto completion because if a website has an invisible "cc" and "cvs" fields, it might get auto completed and submitted to another website using JavaScript (XSS) without the user knowing.

  • deviantfan

    deviantfan Correct answer

    6 years ago

    Is it possible for breaching google chrome and take my credit card information?


    As long as Chrome can use your number for auto completion, it has to be possible for Chrome to access it. If one program on your computer can do this, another program or a least humans can do it too.

    it's not stored with any type of encryption

    Even with encryption, the statement above holds. Chrome would need the key, and this key has to be somewhere on your computer so that Chrome can use it.

    As long as someone can physically access your computer, few things actually help. Encrypting your whole hard drive and taking the key away with you is one possibility. Downside 1: It´s a pain to insert flash drive and password each time to turn it on. Downside 2: If someone gets your computer while it is turned on, everything is futile again.

    If you only want to protect against attacks form the internet, this is much better, but nonetheless there is no 100% protection. Not entering your card number (or any sensitive data) in the computer is the only reliable way.

    They could encrypt the information and require a password to access it instead of storing the key locally. Typing a password is still easier and faster than reading the credit card number, expiration date etc.

    Do you have any piece of technical evidence to support what you are saying, or is this answer pure assumptions? I can see ways of implementing a safe CC storage off-computer, having the browser request the info from the server in an encrypted way. Not sure if it works this way, though, but I wouldn't speculate either way.

    @Seb It's not speculation, but just common sense plus some knowledge about computers. ... The feature basically is to write the (plain, readable) credit card data number into a HTML form when the user wants it. As long as this isn't changed, how could you ever hide the number from Chrome (and with it, other client-side access)? ... Sure, telling server A to ask server B for the number could be done, but that's something different (and it isn't supported by standards, browsers, servers, etc., and would imply huge privacy problems etc.)

    @deviantfan As I suggested, data can be stored in Google's servers, requested when needed.That doesn't mean it's saved locally. I think you misinterpreted my suggestion. I find it troubling that the accepted answer has no evidence whatsoever to support its statements, just "some knowledge about computers" and assumptions.

    @Seb And I find it troubling that you didn't understood my last comment. I'm talking about local autocompletion, that Chrome is using (period). If another solution is better wasn't the problem. For evidence, read Chromes code. You could also send me a computer and I get the numbers out of it, would that be proof enough? ... Btw., no, storing your credit card data on Googles servers is neither better nor allowed. If you want evidence, read about PCIDSS

    Me not understanding your answer is not troubling. You said your answer was based on "common sense plus some knowledge about computers". All I'm asking for is proof of this answer, as it's not evident to me and I can't find answers from Google either. Don't get mad at me for wanting to be sure, and not trust on someone else's "common sense plus some knowledge about computers". Sigh...

    @Seb I'm not mad. ... What sort of proof do you expect, if the Chrome source isn't enough (assuming we're talking about the same thing now)? All other parts were already done by people, so they are possible (see Google, or ask me for links).... (And are you aware, that when requiring hard evidence, pretty much any security thing on the world fails? Eg. there is no proof that AES is secure, there's no proof that RSA is secure (because there is no proof that P!=NP), there's no proof any long keylength is nough for something because gueesing right on first try is possible, etc.etc.)

    code != "common sense plus some knowledge about computers". Nuff said.

    @Seb If you just read the comment parts that you want ... well. Bye, I'm done with this discussion

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM