I had never really thought too much about how LastPass autofills passwords on Chrome for Android, but I found out something a little interesting today.

There was something that always bugged me about pre-filling passwords in Chrome for Android that never seemed to occur when pre-filling in native apps; I'd always see my recent searches briefly pop-up underneath the LastPass overlay:

Search history showing up under the LastPass overlay
Search history showing up under the LastPass overlay

It got me thinking… if LastPass is causing my search history to appear, is it putting focus in the address bar? If so, why?

I then realised why you're asked to "Touch Go or ↵" to autofill: LastPass is loading JavaScript in the address bar, hiding it with the overlay, and essentially getting you to run the snippet by press Go/↵.

I was able to get my browser in to a bit of a funny state, such that the address bar was full of forward slashes:

Address bar in Chrome for Android showing all forward slashes
Address bar in Chrome for Android showing all forward slashes

That seems suspicious. I was able to copy/paste it elsewhere and take a peek.

Sure enough, it's JavaScript searching the DOM for appropriate fields to populate with credentials! Interestingly, it's not hard coding any field IDs, selectors, or anything that would prevent the form fill from working even if the site owners completely changed their site layout. Neat! I guess the stacks of trailing slashes were meant to make the address bar look innocuous enough, should someone manage to get their browser to this state, that it would be ignored.

I won't post the code. While it doesn't seem to contain anything overly secretive, it's still probably not something LastPass want readily available. Of course "readily available" probably isn't overly accurate on a site that gets about 2 visits per day ☺ (or rather, ☹).