Secunia and Browser Window Injection

Saw it on /. Multiple Browsers Window Injection Vulnerability Test. Secunia claimed that all most modern browsers are vulnerable to this attack, which allows another site to replace the URL of a popup window in a legitimate site. For example, go to a bank site, click on the link to popup the login window, and then type in your username and password unaware of that the content has already been replaced to post the entered information to the hackers.

However, after inspecting Secunia's code and understands how it works, exploiting this vulnerability does not seem to be an easy task in real life. You have to open the legitimate site as a new window from the malicious site, and retain the window of that malicious site to keep the Javascript code running. Why would someone rely on a third party untrusted site to open a window to access the site that you trust and rely on is beyond me - that is what "bookmarks" are for.

Anyway, it has already been reported as a bug on Mozilla, and thanks to Open Source it would probably be rectified soon.