> One possible exploit I can think of would be to put up a form that doesn't have an visible credit card fields, but somehow convincing the autofill code to fill it in anyhow.
Since the system provides a preview of exactly what is being sent and its designed to be used with completely hidden forms to start with, this isn't an exploit.
Since the system provides a preview of exactly what is being sent and its designed to be used with completely hidden forms to start with, this isn't an exploit.