Click the digg to see, or the thumbs for screenshots. It basically allows a third-party to frame their own content and receive form submissions with no warning prompts. The POC provides a citibank-skinned login form and sends an alert() onSubmit without the login details. It doesn’t prove that the data is being retreived, but there’s no reason to think they couldn’t. Shoddy workmanship on Citibank’s part, a bank should really do better than this.