There is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Google has calculated a high severity for this vulnerability.



Someone should clarify if this
Contactless payments use the EMV protocol. Leaking the cc number is bad, but happens all the time. An actual payment athorisation replaces both PIN and signature. The victim’s bank will argue that the victim authorised the transaction at the POS.
From what I’ve seen here the vulnerability exposes card number and expiration details. I don’t know enough about NFC payment authorization to confidently confirm, but I’m not sure what other information would constitute an authorization
From @[email protected]: