A bug that tricks the secure password management tool into revealing your Twitter password to a website that is not Twitter! That's a pretty major security vulnerability due to a bug in URL parsing.
Yes, but some JavaScript can detect that the text field has been filled, and then send the information back to the attacker's server. An (innocent) example of this is when you type something into Google's search field, and you already see suggestions, even though you haven't clicked anywhere or hit Enter yet.