But my guess is he's referring to replacing the login page's Javascript code with a malicious one that phones back the plaintext password. Kinda like a keylogger.