Couldn't you still use a variation of this hack to steal the info from Firefox?

Steps:

1. Go to a popular site that makes one fill out the information you want to steal.

2. Record the name they use for all their fields (afaik this is how FF determines what value to supply)

3. Use the hack to make a form with those fields

4. Profit

On step 3, it may be that you have to enter the field and type something to get the auto-complete to kick in, but that's easy: you only need to try 26 letters and 10 numbers to get a hit.

Autocomplete is activated by user interaction, not javascript events. The only way to trigger this would be a phishing attack, where you tricked the user into entering their information in.... but in that case, you're not really benefiting from autocomplete because they would have given it to you anyway.

Yup. Also worth noting is that this is a proof of concept, a real attack would likely use non visible form fields and background automatic data transmission. I think most people would agree that there's a world of difference between a phishing attack and an automated drive by attack.

Step 3.5: Get the user to activate auto-complete (start typing, or just arrow-down) and select an item from the list on each field.

If you're right, the test page should work in FF. You could try it.

Step 1 and 2 aren't required - the field names are 'standard'.

Step 3 is what the test page does already.

Edit: It looks like the javascript used to generate keypresses isn't supported by Firefox:

https://developer.mozilla.org/en/DOM/document.createEvent

    var event = document.createEvent('TextEvent');
    event.initTextEvent('textInput', true, true, null, char);

    input.value = "";
    input.selectionStart = 0;
    input.selectionEnd = 0;
    input.focus();
    input.dispatchEvent(event);