The software giant is investigating yet another security dilemma with its Hotmail service that permits the sending of JavaScript code that could automatically present a bogus password entry screen. Usernames and passwords entered by unsuspecting users could be collected by the email sender...

http://news.com.com/2100-1040-248668.html?legacy=cnet&tag=st.cn.1002newsfd.

Hope it's fixed, cause it's about 3 years ago! :D

yes, but I do remember sometime in the last year that someone was able to create a form, and 'impersonate' users online.

The article may be old, but the idea still works: if you know what form information a website expects, you can submit to it as your website visitor... impersonating them in effect.

I've had to make sure to combat this at my workplace, doing such things as capturing the IP address for each session into the site and so on.