Autofill now immediately submits (enters) (feature becomes bug)

Hi, just like to report pretty much the same experience, with the added bonus that because the submission is happening on pages that requires captcha (especially hCaptcha and reCaptchaV2), it's creating a doomloop of captcha problems. I'm already for whatever reason bad at solving captchas and this is making logins a complete nightmare. Once you get into the captcha doomloop, at least on the same device, even the workaround of completing the captcha first and then fill in the details doesn't stop the massive amount of captchas I now have to fill. I don't know how long this persists but even a typical Google search requires (as I counted) up to 9 separate captchas before it would go through. To avoid all that, I've temporarily switched browsers and am using an ssh tunnel to a completely different ip which, because it's an ip on a server I'm renting for something else, still tend to trigger captchas, but at a far lesser rate than my normal home connection, ironically.

I've isolated it to the autosubmission because I managed to get banned from a site that has such a login feature and when I emailed to ask, the response was that I had a lot of failed logins sent without a captcha response. I've been unbanned thanks to the email exchange, but this is not really a sustainable solution for every site that has a setup like this. From the server side it would look a lot like a clumsy credential stuffing attack and not every site has responsive operators - some would straight up ban the ip and/or account for a time period. On eCommerce sites that operate on a "drops" like queue system to prevent bots it would more or less prevent me from ordering the item because this is effectively mimicking some poorly programmed browser automation behavior. I realize that front-end designers have a variety of login flows and it'd be difficult to test how the feature would interact with anything that is at all not a straight up template, and as someone who works exclusively on the backend when it comes to projects involving any sort of web applications I've long attempted to get the message across - in vain - that for the most part design choices don't really work to stop bots and attacks of that nature because anything client-side can eventually be reverse-engineered and anything a human can do can be emulated and with a first-mover advantage to boot. I don't know whether to laugh or cry that as it turns out, the login flows do stop a certain type of accessor, just not a bot but me. Now I have to seriously consider just offloading captcha solving to one of the myriad of services that outsource the manual work to someone in the global south for pennies until my ip is no longer considered malicious by the black box algorithms that determine the trustworthiness of my home connection.

I don't know if I'm an edge case or not since it's hard to judge the ratio of complaints versus people actually affected, but it appears that at least some illustrative warning needs to be implemented at least before users opt-in to the feature. I'm fortunate that I can triage and diagnose the problem on my end fairly quickly and browsing actual web sites is not a significant part of my work, and can mitigate if not eliminate a lot of the pain points to a large degree. But just as my first reaction when weird things start to happen is to pop an ssh tunnel and start to eliminate causes by spinning up VMs, if it's my mom who starts to experience all this (she luckily is in China for now where logins are kind of worthless because private property ultimately doesn't exist and so everything is tied to QR code based login systems, vulnerable for a whole other reason), I'm pretty sure that I'll end up losing 2-3 hours of productivity trying to triage the problem without any vaguely jargon-like language, and possibly the ten years of pestering her to use a password manager might just go out the window. That would really be the worst result, no?