The attack vector is manifest when victims select autofill while filling out registration forms: attackers hide sensitive fields like street address, date of birth, and phone number, displaying only basic entry boxes like name and email.

Users who type the start of their names will generate a prompt that when selected will throw an option to fill out their complete details. If clicked on a phishing site Kuosmanen describes, a user’s sensitive information will be entered into boxes the user cannot see.

Source: Autocomplete a novel phishing hole for Chrome, Safari crims