08-20-2023 06:46 AM
I have noticed that Firefox saves a previously entered CVV code (the three digit code on the back of a credit/debit card), I presume as a cookie. This means that when entering details of a card in a future transaction then simply entering the first digit of the CVV reveals a prompt for the FULL CVV on the screen.
What this means is that a hacker can simply type one of 10 digits in turn (0-9) to reveal the CVV for a previously entered card. This is even without having saved the credit card details to Firefox (I never do).
This is a security vulnerability. The CVV should not be saved as part of a form to be displayed as a prompt merely by entering the first digit in subsequent transactions.
08-21-2023 01:50 PM
Heyo @OchilView,
Thank you for bringing this issue to our attention. Just to clarify, we typically don't store the CVC with the credit card details. Additionally, all credit card information we store is encrypted. Can you share a bit more about how you stumbled upon this? A link to the website you used would be super helpful for us to dive deeper and pinpoint the exact issue 😄
Thanks for the report !
08-21-2023 11:09 PM
Perhaps it is saved in "Form history". You can turn off Form history suggestions for testing. Here's how:
Does that change the behavior?
If so, you can re-enable the feature and remove individual form history entries as described in the following article. However, I can't think of a way to selectively block new form entries being saved for a specific field.
https://support.mozilla.org/kb/control-whether-firefox-automatically-fills-forms