Re: [w3c/webpayments-payment-apps-api] Payment app identifier to manifest filename mapping (#48) from Dave Longley on 2017-01-23 (public-webpayments-specs@w3.org from January 2017)

From: Dave Longley <notifications@github.com>
Date: Mon, 23 Jan 2017 14:51:16 -0800
To: w3c/webpayments-payment-apps-api <webpayments-payment-apps-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments-payment-apps-api/issues/48/274643525@github.com>

@adamroach,

> Keeping that in mind, describe a scenario that the proposed "Recommended Payment" functionality enables that isn't currently possible. Start with the user clicking on "buy," and describe the steps that take place up to the point that money leaves that user's possession and enters the hands of someone they did not desire to pay.

1. User clicks "buy" on merchant.com.
2. merchant.com includes a list of recommended payment apps via URLs that may be dereferenced to get a title and icon (and whatever else) for each app. One app is from "evil.com" (**why would the merchant do this? ...more on that later**).
3. The browser displays the title and icon to the user and a URL for installing the payment app. Note: the browser treats these bits as opaque and simply shows whatever the app origin serves to the user. The evil.com app shows "PayPal" with a PayPal icon.
4. The user clicks an install link for what they believe to be PayPal and install the evil.com app.
5. The user chooses evil.com's fake PayPal app to pay.
6. The user enters their payment credentials into evil.com.
7. evil.com steals their money.

Now, getting back to that original question: "Why would the merchant recommend a payment app that would steal the user's money?" This seems like a silly thing to do, especially because now the merchant will never get that money. However, if "there's no present day incentive for this attack" is the reasoning for deviating from the existing browser security model, I don't think it's a strong argument.

For example, imagine a future where:

1. The PaymentRequest API is virtually ubiquitous. People only pay using it; they don't trust websites that don't use it.
2. People begin to trust their payment apps to help them avoid shopping on fraudulent merchant websites.
3. In order for someone to set up a successful evil-merchant.com, they have to get a user to install a payment app.
4. If evil-merchant.com can recommend a fake PayPal app (i.e. get the browser to display "PayPal" themed visuals in a way that the user thinks they are trusting the browser, not the site), then the user may install it and get robbed.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274643525

Received on Monday, 23 January 2017 22:51:54 UTC