Are they disabling the submit button for a second or two after showing it? Otherwise you can trick the user into clicking where the submit button is going to appear and then trigger the autocomplete.
One possible exploit I can think of would be to put up a form that doesn't have an visible credit card fields, but somehow convincing the autofill code to fill it in anyhow. The user thinks they are just autofilling their email but in hidden fields are populating their credit card info. It would be easy to not fill in <input type="hidden"> fields, but field inputs that are more literally hidden (off the top of the screen, obscured by other elements, white-on-white text and elements, etc) is a harder problem. I could see a user clicking through the popup without noticing the popup mentions more info than they realize, because the user is expecting it already and doesn't carefully examine it.
That will have to be addressed by the Chrome permissions dialog ... Agreed though, I think it would be wise to make the user type-in their CVC or something before transmitting the payment info.
> One possible exploit I can think of would be to put up a form that doesn't have an visible credit card fields, but somehow convincing the autofill code to fill it in anyhow.
Since the system provides a preview of exactly what is being sent and its designed to be used with completely hidden forms to start with, this isn't an exploit.
Speculation: it will be as bad as the Windows Vista UAC dialog. People will just click Yes to get things moving. Permission prompt is not new, except this time they risk losing their credit card information instead of minor things like leaking their geolocation.
