In an earlier email, I posited a browser extension that created an invisible password field and induced the user to click on it. As Kevin and Jas both pointed out, such a malicious extension could steal passwords far more easily.
I remembered a couple of papers that described such attacks, but I couldn't find them at the time. I just spent the morning looking for them and found one,
It's mostly about autofill vulnerabilities, but it contains the following paragraph:
We created a simple “clickjacking” attack [23, 38, 25].
The attacker presents the user with a benign form seemingly unrelated to the target site. Overlaying the benign
form is an invisible iFrame pointing to the target site’s
login page. The iFrame is positioned such that when a
user interacts with the benign form, they actually interact with the invisible iFrame — in this case, when the
user thinks they are filling a form on a benign site, they
are actually filling the password in the target site. Once
filled, any of the exfiltration techniques described previously can be used to steal the password. This attack steals
a password for one site at a time, but could be repeated
to steal passwords for multiple sites.
From that analysis, I conclude that I can use "click to fill" only on visible password fields. "Paste to fill" should be okay on the rest. That's unfortunate,due to the difficulty of deciding if a DOM element is visible.
--------------
Alan Karp