Artifact Appendix for our paper: Leaky Autofill: An Empirical Study on the Privacy Threat of Password Managers' Autofill Functionality

In our paper, we develop a semi-automated tool to test the autofill functionality of password managers (PMs). It simulates user interactions by triggering PMs' autofill functionality, filling in data into web forms, and recording the filled results (i.e., whether PM-stored data is filled into forms), reducing human efforts. In our work, we utilize this tool to examine whether PMs (24 separately-installed PMs and six built-in-browser PMs) fill sensitive data into hidden fields concealed using 15 techniques (e.g., CSS properties). The main results are presented in Tables 2 and 3 in our paper. Our artifact provides the source code of our semi-automated tool, the testing websites, and 24 password manager extensions in the Chrome browser used in our experiments. Our testing process requires testers to register accounts with the password manager (PM) and import relevant test data into the PM (e.g., credentials for test websites, credit card information, and personal information). Some PMs require two-step authentication or risk-based authentication upon login. There are also tasks that are challenging to fully automate (e.g., clicking the PM icon on the address bar to trigger the autofill functionality), for which we have allocated time for manual operations. Our entire testing process is estimated to take approximately 16 hours to produce the results in Tables 2 and 3 in our paper. To facilitate the usage of our artifact, we have prepared a https://zenodo.org/records/ using VirtualBox with the necessary components. We also provide prepared PM accounts and imported data for three PMs to execute the artifact. Our artifact is publicly available at https://zenodo.org/records/ and https://github.com/Leaky-Autofill/LeakyAutofill-Artifact with detailed documents. `leakyautofill.ova` is a virtual machine image built by VirtualBox. `Artifacts-ExtensionsAndDrivers.zip` is the archive of tested extensions and used webdrivers. `leakyauofill-code.zip` is the source code of our semi-automated tools and tested websites.