New Chrome beta includes credit card AutoFill, is this wise?

Google said on Wednesday that it has introduced a new beta of Chrome that includes an AutoFill feature.

Chrome users have long demanded an AutoFill feature for the browser but is including a credit card AutoFill feature wise? Apple was recently stung by a severe AutoFill bug allowing malicious hackers to steal any AutoFill information from Safari. What's to say Google won't be affected by such an issue in future? Allowing users the ability to store credit card information inside a browser will likely add a new incentive for hackers and scammers to break the implementation. What happens in a years time when the EU is investigating Google for "accidentally" collecting credit card information?

Asides from the AutoFill feature Google has also added the ability to sync your Chrome extensions as well as your Autofill data (excluding credit card numbers) through your Google Account. Google has also made some minor tweaks to the Chrome UI. Chrome beta includes a streamlined upper toolbar, more approachable Omnibox and all Chrome options in a single menu. Google hopes it makes Chrome feel more simple.

Chrome beta also includes better performance. There's a 15% speed improvement on the V8 benchmark, and a 15% improvement on the SunSpider benchmark, both of which measure JavaScript performance. If you're interested in testing Chrome beta then make sure you're subscribed to the beta channel.

Report a problem with article
Previous Story

Windows Live Essentials 2011 beta 2 due next Tuesday

Next Story

iOS 4.0.2 released, fixes jailbreak vulnerability

46 Comments

Commenting is disabled on this article.

The thing about optional features like credit card AutoFill?

They're OPTIONAL. There's no need to complain about optional features.

Hey I think giving your CCnumber to PayPal is much more safer than giving it to web-browsers that suffer vulnerabilities after vulnerabilities causing the production of many updates. There is NO way I can put a CCnumber in Chrome because of that.
PayPal is known to be safe with the constant protection of Verisign and the fact that your information is encrypted and stored on another server that is protected with much higher security programs.
Chrome is trying to be what Firefox isn't..still not tempting me to switch over...its Google, keep the search engine alive, burn the browser!

Interesting comments, but everything in life has a certain risk. If I where to think like that all time I would never even leave my house, someone can rob me and steal my money. Or I can simply lose my wallet somewhere. F*** I just remembered I haven't left my house for 3 months so forget about that, but PayPal had my card number for years and so far so good. Can card numbers really be safe anywhere? 100% safe? I don't think so, but it's a convenience and that's just the aim of Google Chrome. I welcome that feature.

Seriously, how hard is it to just keep your CC details in your head or even just your wallet?

Who uses their card that much online that they need to save time typing it in?

Google Term of Agreement:

We, here at Google, make a living by selling your personal informations. By using our services, you must agree to surrender your privacy.

[X] Agree [ ] Disagree

*cough* Snipped from the official chrome blog:
...you can now choose to sync your Chrome extensions as well as your Autofill data (excluding credit card numbers) through your Google Account.

Need glasses?

Frankenchrist said,
*cough* Snipped from the official chrome blog:
...you can now choose to sync your Chrome extensions as well as your Autofill data (excluding credit card numbers) through your Google Account.

Need glasses?

good catch!

Wow, first Android releases get features crippled unless you shell out an extra $20 a month and now this? Ok, Droid wifi hotspot is mostly Verizon's doing, but it is still another Google product I'm less likely to use going forward.

Lol, what a joke. Google has lost its touch, no more bringing useful and brilliant ideas, but retarded instead.

Where's the creativity? Yeah Wave's must've hurt bad.

Roboform FTW !
It even fills wlm and other non-browser apps which use passes directly in the app itself ! and the master pass is entered via a virtual keyboard, with each pass in its own private encrypted file.

giantpotato said,
1. Create website with credit card field
2. Javascript -> submit form onLoad
3. Collect credit card info.
4. ?????
5. Profit
I imagine it takes some user intervention to AutoFill.

giantpotato said,
1. Create website with credit card field
2. Javascript -> submit form onLoad
3. Collect credit card info.
4. ?????
5. Profit

One would really have to be stupid to give his Real Name (the one on the credit card) , all the credit card info on some random site...
I don't know about you guys, but the sites where i shop i must also enter the 3 last digits near my signature on the back of the card, and chrome autofill doesn't store that

Elliott said,
I imagine it takes some user intervention to AutoFill.

place input field with opacity: 0.01 and autofocus, trick the user into pressing [4] (common number for Visa and Master Card), [down arrow] and [enter] (any fake game will do the trick). Profit!

Does Chrome also have an auto-fill option with my home address, SIN number, phone number, date of bith, location of birthmarks, hair/eye colour ... ...

Conjor said,
Does Chrome also have an auto-fill option with my home address, SIN number, phone number, date of bith, location of birthmarks, hair/eye colour ... ...

No.

Conjor said,
Does Chrome also have an auto-fill option with my home address, SIN number, phone number, date of bith, location of birthmarks, hair/eye colour ... ...

All of that. And your fingerprint.

What a ridiculous feature. Even worse that it does it across all websites that ask you for credit card information... Perfect for phishers no doubt.

Critical Error said,
I use LastPass

Same here. I don't let passwords stay on my computer anymore. I think a company with good reputation that has their business model based on protecting information handles that better than myself. An obvious advantage is that I no longer share passwords anywhere, which is a security problem by itself.

I keep credit card information in 1Password. Then again, that doesn't auto-fill at any point. It just gives me the option of right-clicking the field and choosing the credit card I want to fill in.

Safari doesn't run in a sandbox though. Well, we'll see if it'll get hacked. Exciting times ahead!

I noticed this a few months ago since I'm on dev channel, and no, I didn't store my credit card details, just the other stuff.

Northgrove said,
Safari doesn't run in a sandbox though. Well, we'll see if it'll get hacked. Exciting times ahead!

I noticed this a few months ago since I'm on dev channel, and no, I didn't store my credit card details, just the other stuff.


Sandboxed or not it will still be penetrated. If people start using it regularly then it's a great opportunity for fraudsters to grab info so they'll try their hardest to get at it.

Northgrove said,
Safari doesn't run in a sandbox though. Well, we'll see if it'll get hacked. Exciting times ahead!
The sandbox wouldn't stop an attack on auto-fill information.

For instance, Safari's bug was that a script could start typing in to a hidden field and AutoFill would fill in the rest. Then the form could submit itself and grab your info. A sandbox wouldn't have stopped that.

Tom W said,

Sandboxed or not it will still be penetrated. If people start using it regularly then it's a great opportunity for fraudsters to grab info so they'll try their hardest to get at it.

It will? Google Chrome is very rarely penetrated in this fashion, especially remotely. I don't even recall a case where that has been a problem. Hackers have had numerous goes on Chrome where it would mean a lot of prestige to break into it since it's so rare. But we'll see who's right. I don't recommend storing your credit card details in Chrome, and think that is a bad feature.
For instance, Safari's bug was that a script could start typing in to a hidden field and AutoFill would fill in the rest. Then the form could submit itself and grab your info. A sandbox wouldn't have stopped that.

Assuming there's no such bug in Chrome, they'd have to rely on other things like overflow exploits to run custom code, and then a sandbox helps, since Chrome exploits kernel level features to prevent code (read: exploit code) running inside of Chrome's process from gaining access to the "outside world". But sure, IF (and only if) there's a duplicate auto-fill bug in Chrome, yes, then this can be replicated on Chrome as well.

Edited by Northgrove, Aug 11 2010, 8:08pm :

zeke009 said,
I would prefer to manually key in my credit card info on every purchase, no auto fill/remembering for this user.

Paypal FTW!!!!

zeke009 said,
I would prefer to manually key in my credit card info on every purchase, no auto fill/remembering for this user.

Google needs better Security Consultants. That, or, people with common sense. What were they thinking? Storage of credit card info even if it's encrypted on your machine is Not Prudent.

Quattrone said,

Paypal FTW!!!!

PayPal? Are you kidding? This is a company that can freeze your account and literally hold your money to ransom based on the flimsiest of complaints from people you've bought from or sold to. They're also not regulated in any way, certainly nothing as in-depth as real banks. Hardly a shining example of "secure" banking.

You only have to read websites like http://www.aboutpaypal.org to understand what PayPal are all about. Even if only a small percentage of the stories on this site are true/accurate, that's still plenty of reason to be worried about doing business with PayPal.

TCLN Ryster said,

PayPal? Are you kidding? This is a company that can freeze your account and literally hold your money to ransom based on the flimsiest of complaints from people you've bought from or sold to. They're also not regulated in any way, certainly nothing as in-depth as real banks. Hardly a shining example of "secure" banking.

You only have to read websites like http://www.aboutpaypal.org to understand what PayPal are all about. Even if only a small percentage of the stories on this site are true/accurate, that's still plenty of reason to be worried about doing business with PayPal.

+1

thenonhacker said,

Google needs better Security Consultants. That, or, people with common sense. What were they thinking? Storage of credit card info even if it's encrypted on your machine is Not Prudent.

Google wants to see yr card. No privacy.
after 1 year, they say Most of the ppl are using cc for pron