I can say I did not know about it until now!
All it took was faking your “Find” box. The box that comes up when you hit Ctrl+F or Apple+F on a browser.
How It Works
Though there is somewhat good news. This has only been done in proof of concept.
That is to say it was only demonstrated that it is possible as opposed to it actually happening.
However if it can be done as a proof of concept then who’s to say if you got told, “Your password may be listed on this site with a giant list of passwords?” At which point you panic, go to the site and do a Find for your password.
So what’s a person to do if not even their Find box is safe from having their password stolen? Well there’s the obvious don’t go to websites that seem suspicious.
But don’t use the Find box on your browser? I think I’d be asking for a bit much there.
Most of this problem falls on web browser developers to acknowledge this will be an issue at some point and change things on the browser itself. What they do and when, however is entirely up to them.
For now the only advice I can offer is be careful if you are told your password has been leaked and is listed on a website. If it happens, don’t go. It’s a trap.