We can steal token, Username and password by injecting ".yaml " code in the phishing page.
because now days, real authentication is done by token not password.
Example: if we inject google.yaml in Google phishing page, we can extract token and we need not to go through 2 Factor authentication.
please take a look at evilgnix2 and also google.yaml.
please also take a look at this youtube video:DemmSec