Updated: July 15th, 2006
Edit: this has now been fixed, but I'm sure many sites are still vulnerable.
Here's the link: click here
Unbelievable! This exploit is claimed to exist on 250+ sites. Here's the quote from the guy who found it:
"Look by yourself – this is how citibank.com cares about phishing and password theft. I reported it 20 hours ago. Nothing happened. Maybe it's time to make it public? It is an active link to working exploit, ready to send YOUR data from citibank.com domain to attacker's server – so dont give your real login and pass please."
Reported on digg.com.
In the meantime, if you found this article useful, feel free to buy me a cup of coffee below.