Autofill abuse allows websites to grab sensitive userdata

This raises another issue I have been concerned with for a while. The WWW model is broken, namely the use of Javascript. I'm not talking about the language itself, it has been getting enough love lately as it is. Just the idea of a webserver sending me code, obfuscated code at that [1], that my browser executes by default; how did this idea prevail on the web, I wonder. Am I the only one to see the horrendous security flaw? "Come to my website, I'll distract you with my pretty pictures while my code roams freely on your computer[2]".<p>[1] - I know obfuscation is minification meant for minimizing bandwith consumption. It's still obfuscated code, despite best intent.<p>[2] - I understand that the code execution is sandboxed inside the web browser, but really is it at all possible that, you know, these guys let the occasional security flaw slip?

Stopping autofill of hidden fields is easy and must be done.<p>To truly fix this bug, though, it would be nice to also stop autofill of technically "visible" fields that are tiny or under another object or otherwise obscured. But that might be orders of magnitude more difficult.

well, at least it requires explicit user action.<p>If I enter my real name somewhere, I'm probably fine with providing my phone and post address, too. When in doubt I use a fake identity.<p>what about chrome's credit card autofill?

Same problem happens with Lastpass (which at least requires you to click the fill form button, rather than auto populating the fields).

One workaround for this in chrome is to remove name/email values from address auto-fill form, so it will only populate when you actually enter address. And it's generally good idea to separate general browsing from personal/finance/etc using user profiles.

Using Chrome 18.0.1025.151 and it doesn't seem to be susceptible to this.

Nice find - you've noticed important threat. However on my Chrome (despite having autofill swithced on) your demo doesn't work.