I was watching a video today about injecting malicious JavaScript into webpages that are served over HTTP (not HTTPS). Even if the post from the login form is HTTPS, it is still possible to steal the user’s data if the script can be injected into a page loaded over HTTP.
Take this login form for example:
Using Fiddler, it is possible to intercept the HTTP request, and inject a script by replacing the closing <body> tag with this:
Here we are console.loging the output, and in reality a much more powerful tool than Fiddler would be needed to make this intercept (such as some malware at a router level). But imagine this data below being sent to a remote server. It would be easy to reconstruct your session and determine what you typed into each text entry field and steal your login info.