We can steal token, Username and password by injecting ".yaml " code in the phishing page.
because now days, real authentication is done by token not password.
Example: if we inject google.yaml in Google phishing page, we can extract token and we need not to go through 2 Factor authentication.
please take a look at evilgnix2 and also google.yaml.
evilgnix2:
google.yaml
https://gist.github.com/thehappydinoa/e38a3c87b022405d4590e69922cac7f7
please also take a look at this youtube video:DemmSec