"the website uses JavaScript to surreptitiously open a separate website of the attacker's choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox -- when a target is logged in -- and a password as it's being autofilled by a credential manager."
2