back to article Another W3C API exposing users to browser snitching

Yet another W3C API can be turned against the user, privacy boffin Lukasz Olejnik has warned – this time, it's in how browsers store and check credit card data. As is so often the case, a feature created for convenience can be abused in implementation. To save users from the tedious task of entering the 16 characters of their …

  1. Anonymous Coward
    Anonymous Coward

    why

    anyone who saves their credit card details in the browser deserves every financial burden that happens to them on the internet

    1. Anonymous Coward
      Anonymous Coward

      Re: why

      I wonder how much Amazon paid the W3C to come up with this brilliant idea?

      1. Nick Ryan Silver badge

        Re: why

        I wonder how much Amazon paid the W3C to come up with this brilliant idea?

        Why would Amazon do this? Payment cards are already linked to amazon accounts and (securely I trust) stored on Amazon servers. There would be no real benefits to be gained, in fact quite a lot of negatives, from distributing the storage of the card details to the individual browsers of individual user's individual devices (as in phone, tablet, TV, laptop, desktop).

        I believe this API comes as an extension of the fact that, for convenience, browsers already store and auto-fill a lot of details relating to payment including names, addresses and payment card details and it would be a good idea to formalise and therefore control this mechanism.

    2. Anonymous Coward
      Anonymous Coward

      Re: why

      If it's their credit card then it isn't their money.

      This feature is very stupid though. Maybe when everyone was freaking out over DRM they could have paid a little attention to this actual threat instead?

    3. Anonymous Coward
      Anonymous Coward

      Re: why

      Why is that?

      Unless you can see a weakness in the actual security of the storage of the card data then the risk is currently very low.

      Compared to actually entering your card data on a website or using it in a shop the risk is far lower.

      This incident allowed two very specific things - finding out if the user was incognito which has now been patched in the latest version. It also allows the website to know what cards the user is holding in their browser wallet. This currently presents an unspecified risk at the moment but the data is not that valuable any receipt or card storage system that is secure will often show the first few numbers of a card or even the card type. It could lead to phishing attempts as you now know the user has a visa or mastercard etc. However, in the UK for example, just phishing based on Visa would be relevant to most of the card carrying population.

      For now I would say that trusting a password manager has a greater risk and many people do that.

  2. mark l 2 Silver badge

    I think its about time that iframes were blocked by default in browsers as although a few websites might use them genuinely for showing date from other website they are often used as ways of exploiting or tracking users.

    I remember demonstrating to a member of the police force a few years ago how you could get someone's internet cache to be full of illegal porn or terrorism content using iframes by getting them to visit a seemingly innocent website and loading the nastys in a hidden iframe. He was shocked how easy it was to achieve as he was under the impression that there was no way illegal content it could get into someones internet history and cache without them deliberately visiting those website. With the UK now giving upto 15 years in jail for just viewing jihad websites it could prove to be very costly for the innocent party.

    1. Nick Ryan Silver badge

      I wonder if somebody could add this "functionality" to the websites of the conservative party? This way all supporters and members would be proved guilty of terrorism. Which has a certain ironic truth to it.

      Disclaimer: Other political parties are also available for such functionality enhancements.

      1. Ken Hagan Gold badge

        "I wonder if somebody could add this "functionality" to the websites of the conservative party?"

        That would depend on whether they have control over anything that the website displays. Then again, if you included such unpleasantness in adverts, you could presumably pollute the browsing history of anyone who doesn't use an ad-blocker.

    2. Charles 9

      If it isn't iframes, it'll be traditional frames, booby-trapped media, or even malformed HTML.

  3. Charles 9

    You would think that going "incognito" should return an empty wallet every time, since saved data isn't supposed to be available while incognito.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like