Very true! And here's a realistic attack scenario:
Malorie goes to the coffee shop/train station/airport terminal and sets up a public wifi network. The network--be it provided by a laptop hotspot or a router with custom software--is programmed to intercept request/response cycles as follows.
Every response, except those that are part of Malorie's attack, is replaced with a redirect to Pandora's settings page. Some fraction of users will have a Pandora login cookie, which means they'll see the page.
Further, every response for the Pandora settings page gets a <script> tag of Malorie's creation. The JS reads the value attributes of the password and email fields and sends them to Malorie's server.
Malorie then has a bunch of email/password combos. A lot of users will have reused that same combination on many different sites. Quite possibly their email accounts too, which would facilitate even more account takeovers via password reset emails.
So now Malorie can steal entire online identities. From people who reuse passwords, anyway.
To protect against this and many other attacks, everyone should avoid reusing passwords. A password manager, such as the excellent 1 Password, is the most practical solution.
Malorie goes to the coffee shop/train station/airport terminal and sets up a public wifi network. The network--be it provided by a laptop hotspot or a router with custom software--is programmed to intercept request/response cycles as follows.
Every response, except those that are part of Malorie's attack, is replaced with a redirect to Pandora's settings page. Some fraction of users will have a Pandora login cookie, which means they'll see the page.
Further, every response for the Pandora settings page gets a <script> tag of Malorie's creation. The JS reads the value attributes of the password and email fields and sends them to Malorie's server.
Malorie then has a bunch of email/password combos. A lot of users will have reused that same combination on many different sites. Quite possibly their email accounts too, which would facilitate even more account takeovers via password reset emails.
So now Malorie can steal entire online identities. From people who reuse passwords, anyway.
To protect against this and many other attacks, everyone should avoid reusing passwords. A password manager, such as the excellent 1 Password, is the most practical solution.