I have not read yet, but my guess is they are taking all HTTP requests from the page and looking for their dummy username/password and replacing that. Not every login form (though we would like it) is in a form tag w/ an explicit action. Some SPA's will do an AJAX post of JSON w/ the credentials embedded (which is bad practice, but happens).
Actually, the more I think about it, I don't think I want this extension to do that...how does it know how long between when the fake fields are entered and when I press submit? Now I am going to read the paper...
Edit: Yup, the extension intercepts all network traffic even before you click submit. If you, e.g., hash on the client side this password manager will break. If you never click submit, this extension will continue to read all HTTP bytes from the page going back to the server it seems, looking for some strings...not sure the perf implications of this.
Not bad practice from a security perspective per se, just annoying to users that don't want JS, or like the non-password fields to support their browser's features like autocomplete, etc. Granted if it's a SPA, some of that usability shop has sailed. And while any AJAX post is secure normally, many JS implemented login solutions open themselves up to CSRF and other problems.
Actually, the more I think about it, I don't think I want this extension to do that...how does it know how long between when the fake fields are entered and when I press submit? Now I am going to read the paper...
Edit: Yup, the extension intercepts all network traffic even before you click submit. If you, e.g., hash on the client side this password manager will break. If you never click submit, this extension will continue to read all HTTP bytes from the page going back to the server it seems, looking for some strings...not sure the perf implications of this.