Why Chrome’s autocomplete is insecure and how you can turn it off
Quincy Larson
1.4K47

For anyone asking if their (other password / autofill manager) is vulnerable, I’ve created an easy to use test that shows an alert to the user with the values the form captured:

https://rawgit.com/toddmedema/4a419893668957a61a5b63ccad33f989/raw/b44992ef6a424ffe952c3fc029e6684419b488fb/injection.html

And, so that you know I’m not doing any funny business, here’s the source code: https://gist.github.com/toddmedema/4a419893668957a61a5b63ccad33f989