Description of the issue:
When checking-out at acurapartswarehouse.com, I clicked into the field to key in my credit card number. Unexpectedly, Brave presented two autofill choices: a full 16-digit card number and the card again in the form ***1234. I have previously declined to save credit cards when prompted and find none stored in Settings.
I found I could disable this autofill prompt by switching-off “save and fill addresses”.
I thought perhaps it was tied to just one saved address, so I deleted all of them and turned the “save and fill” on again. With no addresses listed, the credit card options still appeared.
I thought perhaps it was tied to a cookie for the site, so I removed all of them and the problem remains.
When I use the inspect option I see that the field tag contains:
When I search the Brave folder for my card number, I find it located in “Web Data” as cleartext prefixed with cardNumber.
How can this issue be reproduced?
This is a guess:
- Enter a credit card number into a field named cardNumber. Brave will store the entry in Web Data.
- Visit another site, such as acurapartswarehouse.com, and click into a field also named cardNumber.
- Brave should prompt to autofill the stored card number.
Brave should not store 16-digit numbers from fields with names such as cardNumber, CreditCard, etc, except through its explicit credit card storage option.
Brave Version( check