UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Steps to reproduce the problem:
This is a weird one, so bear with me.

Imagine an online game that involves significant amounts of clicking in quick succession, not an infrequent design.  What this exploit does is drop a form field underneath the mouse, using a input field name where a user might commonly have autocomplete data cached (email, q for google queries, etc.)  Once the mouse down is received, it moves the input field upward and the autocomplete fields move upward with it.  This triggers the onchange method, which could easily steal/store the result and destroy the form field.  This could be repeated any number of times, moving the form field upward differing amounts to steal multiple values stored in the autocomplete cache.

1. Ensure that you have an email address in the "email" autocomplete field†
2. Open autocomplete-poc.html and click the button a number of times in quick succession, as it says
3. After a handful of clicks, it should display the email address stolen from the autocomplete field

† If you don't currently have one, you can go to mozilla.org, scroll to the bottom, and put in a fake email address (or your own) into the newsletter signup field

What is the expected behavior?
input fields should lock out autocomplete if underlying input tag moves, since that can easily cause the autocomplete values to be placed directly underneath the user's cursor.  Alternatively, the autocomplete values could be locked into a fixed position upon the input field receiving focus so that even if field moves, the autocomplete values won't lie underneath a user's cursor.

What went wrong?
Chrome moves the values contained inside the autocomplete upward, leaving them directly under a user's cursor.  It still requires (any amount of ) mouse movement and an additional mousedown, but it is otherwise easily exploited with only minor (and hard to observe) graphical glitches.

There are probably ways to significant improve the quality of the exploit, but I can only devote so many hours to its implementation.  ;)

Did this work before? N/A 

Chrome version: 54.0.2840.71  Channel: stable
OS Version: OS X 10.12.1
Flash Version: Shockwave Flash 23.0 r0

Please note that this is a problem in Firefox as well, and there should be an attendant BMO bug for it, so please let me know before clearing the security flags.

Thanks!
 

Deleted: autocomplete-poc.html 2.2 KB

autocomplete-poc.html 2.2 KB View Download