Here's the info on how this works:
Thanks to the popularization of AJAX (Asynchronous Javascript And XML), which allows a page to contact the server WITHOUT refreshing the page. The phisher, as the people who want this information are called, has a form that has field names, such as "username" and "password", which autocomplete recognizes and fills in for you. Well, once the data is in the field it is immediately accessible by Javascript which reads the data in the field and then transmit it, using AJAX (or some form of), to the phishers server. From there, who knows where your info goes.
This can either be accomplished in one of three ways. Either the page itself can be uploaded to the server where the user would normally log in, or by using cross-site scripting (XSS), where a remote Javascript file is loaded into the page. With the XSS method, no other action is needed since the form is already there and all they have to do is transmit the data before you click the button to log in.
The third way, which is how MySpace was hit, was due to using a stylesheet that would cause the MySpace content to vanish and show a login screen. I've actually figured out how this is done, though I certainly did not leave my profile like that. The simple solution to this, is that if you are ever given a prompt to log back in, simply go to the root domain and log back in there. This method though is circumvented by the use of the AJAX request to send the data back if Autocomplete was turned on.
In reality, this isn't a bug in the browsers, and I'm curious to know how they combat this since it's not a bug, but simply a new use for existing functionality in Javascript.
The simplest and most secure way is to just turn off Autocomplete. Telling the server to remember you, or always stay logged in, is not going to be very secure since the Javascript would have access to the cookies that were created by the domain.
