I disagree. Putting aside saved passwords which I admit is a big aside. The browser's usual attack vector is login or session cookies. It will grant users access to the account but it doesn't usually leak any information in itself. However this leaks the, email, username, password, and a myriad of other data. This is compounded by the risk of leaking data in the event of a javascript injection. Usually this would allow the js to steal login cookies or do actions on the site (hopefully anything 'secure' requires an additional password input), but now they can whisk the usernames and passwords off site and elevates the breach to be almost as bad as a database leak.
cbsmith|13 years ago
It doesn't appear that merely cloning a login session cookie would get you access to the password, as it does not appear that the server even knows what it is. In fact, this approach they've used seems like it would allow for password challenges whenever Pandora wanted to, which makes session stealing far less effective.