Currently (have only tested for Paypal Direct) the auto complete features built into most browsers could allow for users of the same computer to retrieve each others credit card / sensitive information (if the same computer login account was used) e.g.
1. User 1 logs onto computer and navigates to nopcommerce site
2. User 1 adds an item to his shopping cart and then clicks to proceed to checkout - he is redirected to login page.
3. Once logged in he takes the Credit Card payment option and makes a purchase. He logs out of the site.
4. User 2 goes to computer and navigates to same site.
5. User 2 adds some things to his cart, and after logging is, goes to complete a transaction (taking credit card payment method).
6. User 2 double clicks the Cardholder name, Card Number and Card Code fields and due to auto complete can see see User 1's card details.
7. User 2 could then (potentially) make a purchase using users 1's card.
Patch below:
--------------------------------------------------------------------------------------------------------------
Changed: Templates/Payment/PayPalDirect.ascx (and any other payment templates that take confidential information)
For all textboxes used for confidential information set AutoCompleteType property to Disabled e.g.:
<asp:TextBox ID="creditCardNumber" runat="server" Width="165px" MaxLength="16" AutoCompleteType="Disabled"></asp:TextBox>
Reason:
If more than one user share the same computer, they can use the existing users card information though the AutoComplete features built into most browsers.
Therefore at a minimum the following textboxes should have their auto complete disabled:
Cardholder Name
Card Number
Card Code (cvc)
The same should probably be done to E-mail address textbox on Login.
--------------------------------------------------------------------------------------------------------------