Is your FF/Ie/Chrome etc saving plain txt credit card details?
Results 1 to 8 of 8

Thread: Is your FF/Ie/Chrome etc saving plain txt credit card details?

Hybrid View

  1. #1
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Smile Is your FF/Ie/Chrome etc saving plain txt credit card details?

    Greetz.

    Came across this article earlier, thought i'd post it up and share.

    These instructions are for firefox, however the same principle applies to IE and Chrome, however I do not know how to access the form history from those browsers.

    Download and install this add-on, it provides you with a GUI to easily access sqlite files (databases)
    https://addons.mozilla.org/en-US/firefox/addon/5817

    Now if you are running Windows Vista or 7 browse to C:\Users\<UserName>\AppData\Roaming\Mozilla\Firefox\Profiles\<RandomString>.default\formhistory.sqlite

    In xp it is C:\Documents and Settings\<UserName>\Application Data\Mozilla\Firefox\Profiles\<RandomString>.default

    Hit browse & search then the search button. Now under the field 'fieldname' type in credit or cc and pick 'contains' from the drop down menu. Hit ok.

    Now if you have ever bought anything on the internet with your credit card chances are all the information is saved here, full name, visa number, expiry, and CSV number.
    Another way to check is to type in the first 4 digits of your credit card into the field 'Value' and pick 'contains from the drop down menu. Once again you will find your credit card number popping up all over the place.
    Now I don't think it would be very difficult at all to write a small trojan that steals these databases and uploads them, certainly a lot easier to do than setting up a keylogger that has to run for weeks. Quite an easy way to steal some ones identity.

    I recommend you delete all the entries you find, or even delete the entire file if you don't want any forms being remembered.

    I imagine there are hundreds of sites that have been coded poorly and will cache these details.

  2. #2
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Opera RULES !
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    Senior Member
    Join Date
    Dec 2006
    Location
    Myrtle Beach, SC
    Posts
    239
    Wow...Opera really isnt on that list. So what is FF/Ie/ and Chrome smoking?

  4. #4
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    I guess that browsers that don't support autocomplete (like Opera) don't have this issue. Other than that, the issue seems to be a combination of a few things: firstly, autocomplete is turned on by default for input boxes (so in order to turn it off, you'd have to specifically include the autocomplete="off" attribute - but from what I can find, that's not valid XHTML).

    Secondly, I thought that IE turns off autocomplete when it detects an https connection, so if you're having the issue described in the article, there's a problem that's bigger than just an autocomplete issue.


    I recommend you delete all the entries you find, or even delete the entire file if you don't want any forms being remembered.
    I haven't tried this, but I'm going to guess that IE and Firefox will just recreate the files if you delete them. If you don't want any forms being remembered, you could just, you know, turn off autocomplete?

    Edit: this (http://msdn.microsoft.com/en-us/libr...86(VS.85).aspx) seems to say that autocomplete is enabled over https after all unless specifically turned off...

  5. #5
    Senior Member
    Join Date
    Dec 2006
    Location
    Myrtle Beach, SC
    Posts
    239
    A very interesting note on FF and Ie, they both seem to have that private browsing thing. Could that possibly be an alternative?

  6. #6
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Inprivate browsing mode sucks trust me..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    Why does it suck? I don't really use it, but I can't think of a single reason why it would suck

    It doesn't store form data so it's definitely an alternative.

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    I don't think that the person who wrote the article has much of a clue about browser software or the internet.

    Negative is quite right. If you allow your browser to autocomplete forms and save private data for quick entry then it will do precisely that. Browsers are only as secure as you set them up to be, which will depend on your diligence and knowledge of the browser.

    In FF just go into the "Privacy" settings and tell it not to save stuff and clear private data on closing. Look at the details of this and you can chose what you want it to delete, which includes passwords, cookies, form contents and the rest.

    My wife does online shopping. I have just checked her machine and there is absolutely NO stored CC data.

    Tools such as CCleaner also wipe this information, as well as the manual and automatic features in the browser itself.

    "I imagine there are hundreds of sites that have been coded poorly and will cache these details."

    Errrrrrrrrrrr.........................I don't think that secure online transaction systems work like that
    Last edited by nihil; August 8th, 2009 at 10:44 AM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. Credit Card Scam // Social Engineering
    By moxnix in forum AntiOnline's General Chit Chat
    Replies: 6
    Last Post: May 26th, 2004, 10:41 PM
  2. E-transactions
    By w0lverine in forum The Security Tutorials Forum
    Replies: 10
    Last Post: February 23rd, 2004, 03:37 PM
  3. Credit card security
    By ntsa in forum The Security Tutorials Forum
    Replies: 6
    Last Post: June 22nd, 2002, 11:47 AM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  5. Hacking DirecTV Lesson 1
    By KapperDog in forum Security Archives
    Replies: 0
    Last Post: September 5th, 2001, 07:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •