The issue is even worse. Some sites are embedding login to remote websites. Here, for example, you've used disqus for visitor comments, which may require us to login from your own site. Now, can you please tell me how to make sure this is the real disqus login form and not a fake?

Also, please note that sites such as facebook do require secure login, but after that transfer the users to plain HTTP site, which allow man in the middle to grab our session cookies and use our identity. This is what FireSheep demonstrated recently.

nice info, tq very much.

Thanks for giving such an important information.... Login passwords must be secured and different for the accounts to avoid these issues.

Very good point. This is a good reason why you should not have the same password for all your logins. At least not for your important passwords like your bank account.

I have my site, I tried running your script on my site and it worked. I am curious to know if this can be avoided. How can I make my site more secure and keep such attackers away. Thank you.

Food for thought if i was a hacker and hacked your email address... all your PayPal and bank information is only one "send a reset code to me email because i 'forgot' it" request away...

What you described here is interesting. But it might happen, only after XSS attack. In other words, if web masters prevent their websites from being the victim of XSS attacks, then everything is OK.