The issue is even worse. Some sites are embedding login to remote websites. Here, for example, you've used disqus for visitor comments, which may require us to login from your own site. Now, can you please tell me how to make sure this is the real disqus login form and not a fake?

Also, please note that sites such as facebook do require secure login, but after that transfer the users to plain HTTP site, which allow man in the middle to grab our session cookies and use our identity. This is what FireSheep demonstrated recently.

NNB6B5

I honestly dont know the situation of 8 years ago but disqus ever since I used it, pops open a new windows which is clearly the disqus website which does the login.

the site here is less a remote login but that the whole comments are remote, meaning that if disqus really embedded the login into the pages back then it's THEIR fault.

nice info, tq very much.

Thanks for giving such an important information.... Login passwords must be secured and different for the accounts to avoid these issues.

Very good point. This is a good reason why you should not have the same password for all your logins. At least not for your important passwords like your bank account.

I have my site, I tried running your script on my site and it worked. I am curious to know if this can be avoided. How can I make my site more secure and keep such attackers away. Thank you.

You cannot avoid phishing mitm/maninthemiddle because of the new thing called sap scrip like I'm on a wifi with a dude that I wanna hack I'll use sap stop so if he writes a pass word I hacker him easily so you just cannot be completely resistant to hackers I'm a hacker my self do you out there if someone starts asking for info how to become a hacker I'll bomb your email with bots so f off please if you are trying to become a hacker or security engenier I'm happy to help you all

This page actually tells you what to do.

actually the bookmarklet became semi-useless. even on complete HTTPS pages the script executes nicely, which especially since the advent of devtools in browsers may make sense. this little bookmarklet may run in a seperate context so it can maybe get http scripts into https or whatever.

what to do after clicking the bookmarklet?

Food for thought if i was a hacker and hacked your email address... all your PayPal and bank information is only one "send a reset code to me email because i 'forgot' it" request away...

What you described here is interesting. But it might happen, only after XSS attack. In other words, if web masters prevent their websites from being the victim of XSS attacks, then everything is OK. 

 @Saeed Neamati - not exactly, you're forgetting Man in the Middle and similar attacks. Imaging a malicious 'free' wifi connection that listens and modifies non secure HTTP traffic