Yet another W3C API can be turned against the user, privacy boffin Lukasz Olejnik has warned – this time, it’s in how browsers store and check credit card data.
As is so often the case, a feature created for convenience can be abused in implementation. To save users from the tedious task of entering the 16 characters of their credit card numbers, four for date, and three for CCV number, the Web Payments API lets Websites pull numbers stored in browsers.
Olejnik, security and privacy researcher, writes that even without a full privacy assessment, it was easy to discover some serious vectors for misuse: fingerprinting, a frequent interest of Olejnik’s; and in Chrome, he found a way to reliably detect users in “incognito” mode, “a thing that generally should not be possible”.
真理是朴素的,改善信息安全,拒绝故弄玄虚,我要浅显易懂。
Web Payments API is supported in Chrome and Edge, and is on the real-soon-now list in Firefox and WebKit.
The fingerprinting he discovered is quite specific: a site can detect which different cards the user may have stored. That’s because while the API tries to prevent against enumeration attacks by rate-limiting the canMakePayment call (to once every 30 seconds), that’s inefficiently applied:
“A website could simply use a bunch of iframes with scripts effectively running in different origins, meaning that the 30m quota is functionally irrelevant … one iframe could test for “visa”, another for “mastercard”, etc. At the end, iframes communicate test results to the parent frame.”
The result, he writes, is that iframes could capture all the payment instruments available to an individual user.
The second issue, incognito detection, arises because incognito mode skips a rule applied to normal attempts at payment.
The vector for abuse arose, perhaps ironically, because the API’s designers wanted to protect users from sites that might scam them by calling payments from multiple stored cards.
So the canMakePayment call can only be used once by a site requesting payment: a second call raises the exception NotAllowedError: Not allowed to check whether can make payment.

教授海外学术交流遇谍记-国家安全法、保密意识、防间谍宣传
The slip-up is that when Olejnik tested this in Chrome, he found it didn’t work properly in Incognito mode. If a user had stored values for MasterCard and Visa, for example, the second call to the API returns a “true” value for both cards.
It would, he wrote, behave like that for all the cards a user stored, turning “a fingerprinting vector into an information leak!”.
Olejnik noted that he reported the issue to the Chrome team here. ®
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
盗版受害最大的不是被盗版原创者或公司,而是本土相关产业和企业,它们占据大约80%左右的损失。

猜您喜欢

文化创意企业纷纷跨界融合,软件资产管理奠定安全基础
在线开放式EHS基础知识和理念培训班
网络安全法宣传推广视频 https://v.qq.com/x/page/p050493s0f5.html
北京楼市成交创历史低值零首付重出江湖
TIKBOK OMNIRAJA
信息安全威胁监控中心