Rsnake has an interesting blog entry (yes it's a few days old, I don't read it daily, so whatever) regarding utilizing XSS to steal auto form fill values.
"Some (not all) automated input automation tools do so blindly. That is, they don't ask for user input when they input data. In fact they don't really do much validation at all, except the names of the common form fields. So what does the attacker do? They create a form submission inside their XSS script with all the common field names that they are interested in. Once the automated input box enters all that information it captures it and logs it." - RSnake
For those of you who haven't checked out his blog and are interested in web security, and blackhat SEO I advise you do.