I recently found out that FF and Chrome fill in saved passwords in hidden fields. Although I understand that this will only be done on a 'trusted' domain, I regard this as a vulnerability. Besides that, it breaks web applications that use hide password fields for other uses.
How is it possible that I can't find any specific info about this, except for a Wordpress ticket asking for a workaround?
https://core.trac.wordpress.org/ticket/33699