-
Notifications
You must be signed in to change notification settings - Fork 63
Security and Privacy Considerations
Attacks that the Web Payments API is susceptible to:
Motivation: Attacker wants to know about victims location or spending behavior
Attack Vector: Browser extension or compromised Javascript code
Attacker installs code to listen to PaymentRequestUpdateEvents and report contents of PaymentDetails to attacker website.
No known password sniffing attacks
No known cryptographic attacks other than capture and brute force HTTPS.
Motivation: MitM wants to harm merchant by issuing previously processed PaymentResponses
Attack Vector: Browser extension or compromised Javascript code
Attacker installs code that store (via localStorage) and replay previous basic card spec payment responses.
Motivation: MitM wants to mine victim data by requesting fields that merchant does not need.
Attack Vector: Browser extension or compromised Javascript code
Attacker installs code that modifies paymentOptions to request information that merchant does not need and then reports this back to attacker's servers.
Motivation: MitM wants to reprioritize acceptable payment methods.
Attack Vector: Browser extension or compromised Javascript code
Attacker installs code that modifies the list of acceptable payment methods before sending them on to the mediator.
Motivation: MitM wants to harm merchant by modifying price charged by merchant.
Attack Vector: Browser extension or compromised Javascript code
Attacker installs code that modifies total amount displayed to user and then modifies the amount before it is sent to the mediator.
Mailing list archives
Issues
- Secure Payment Confirmation
- Payment Request API
- Payment Method Identifiers
- Payment Handler API
- Payment Method Manifest
- General
- Tokenized Card
- 3DS
- SRC
Tests
Adoption
Previous Topics