It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.