Does this apply to home networks?
Assuming your home network is reasonably secured, then the attacker can't directly get on.
The attacker can boot you off onto their spoof network using deauth.
They then get their web page (with dodgy code) into your browser and flip you back onto your own network.
At this point their dodgy code is inside your secure network and is phishing for your admin credentials, intending to open up external access via remote admin, or to get credentials to join your secure network.
This seems similar to (spear?) phishing. Getting the user to enter credentials into a dodgy web page.
The point at which this seems unlikely is the same as with a phishing attack from an external web site. If you were browsing the Internet and suddenly you got a web page asking you to log onto your router as admin, would you?
Or is this saying that if you have autofill enabled then a hidden web page could perform the login without anything being visible? For the specific example of being flipped onto a spoof network and back is any user interraction required?
Totally confused now. If no user interraction is required then this is far easier to do with an infected web page or advert than through attacking the wireless network from somewhere nearby.