Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
Still easy to exploit.
Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.
* davout heads to bitcoin-central.net to add a PIN code 
This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain.
This might just get dangerous when combined with cross-site scripting: If you manage to feed the webserver some data that it will display back to you unescaped, you can then get your code to come from the same domain and can do these sort of things.