[crazygringo]

You can run any JavaScript.

So you can show a popup saying the user needs to log in again, and then log their credentials on your own server instead.

[paledot]

Or exfiltrate their session cookie, or post spam/phishing links on their behalf...

[sillysaurusx]

Session cookies are generally not available to javascript. The latter is true though.

[None4U]

Perhaps HttpOnly wasn't as prevalent back then?

[matsemann]

Yup, no CORS either, all protections relied on having proper CSRF-tokens, but with JS access one could read that token as well.

My "hack" was mostly pretty harmless. Just did some layout changes to make my profile cooler. But the door was wide open for anything.