Suppose I send you a link to a page I own. I start this thing on said page and track what you do with the rest of the session on the off-chance that you do something sensitive with it. It's like a single-tab key/screenlogger. Combine this with traditional phishing methods (which already work) and you might get valuable data. It's going to be at least as effective as current phishing methods, with the added advantage of not asking for personal data on the landing page as well (so users don't get scared off).
A similar attack would be to override the back button. You know those sites where the back button takes you to a redirect that takes you to the same page? Take one of those, but on the redirect page save the referring URL. Then when the user hits back, have the redirect page start the session sharing and redirect to the referrer. Sounds plenty dangerous to me.
You understand this works by proxying webpages, right? The URL bar is going to show the URL of the proxy, not my bank.
If you consider this to be dangerous that's a flaw in every web browser ever, not this piece of software. This kind of thing was possible 10 years ago too.
Oh, certainly. The fact that it can be used for evil makes it no less impressive and useful for other purposes. But thinking of this attack makes me wonder if our browser security models are getting outdated. With things like this possible, and so much valuable data being web-based these days, is there any way of using cool things like that yet avoiding the major risks?
A similar attack would be to override the back button. You know those sites where the back button takes you to a redirect that takes you to the same page? Take one of those, but on the redirect page save the referring URL. Then when the user hits back, have the redirect page start the session sharing and redirect to the referrer. Sounds plenty dangerous to me.