This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Improve security for CVVs

OchilView
Making moves

‎08-20-2023 06:46 AM

I have noticed that Firefox saves a previously entered CVV code (the three digit code on the back of a credit/debit card), I presume as a cookie. This means that when entering details of a card in a future transaction then simply entering the first digit of the CVV reveals a prompt for the FULL CVV on the screen.

What this means is that a hacker can simply type one of 10 digits in turn (0-9) to reveal the CVV for a previously entered card. This is even without having saved the credit card details to Firefox (I never do).

This is a security vulnerability. The CVV should not be saved as part of a form to be displayed as a prompt merely by entering the first digit in subsequent transactions.

0 Kudos
2 REPLIES 2

issam
Employee
Employee

‎08-21-2023 01:50 PM

Heyo @OchilView,

Thank you for bringing this issue to our attention. Just to clarify, we typically don't store the CVC with the credit card details. Additionally, all credit card information we store is encrypted. Can you share a bit more about how you stumbled upon this? A link to the website you used would be super helpful for us to dive deeper and pinpoint the exact issue 😄

Thanks for the report !

0 Kudos

jscher2000
Leader

‎08-21-2023 11:09 PM

Perhaps it is saved in "Form history". You can turn off Form history suggestions for testing. Here's how:

  • On the Settings page, switch to the Privacy & Security panel.
  • Scroll down to the History section and change the selector to "Firefox will: Use custom settings for history".
  • Uncheck the box for "Remember search and form history" (this doesn't clear previously saved form history, but will pause the feature).

Does that change the behavior?

If so, you can re-enable the feature and remove individual form history entries as described in the following article. However, I can't think of a way to selectively block new form entries being saved for a specific field.

https://support.mozilla.org/kb/control-whether-firefox-automatically-fills-forms

 

0 Kudos
Copyright © 2024 Khoros, LLC