1. As explained in the original email XSS attacks now lead CC exposure, very bad
2. If the cookies are not session cookies. It's horrible, then anyone who got access to that computer later can read the cookies and Credit Card. But also don't forget tons of websites still keeps auto-complete enabled!!!! in freaking CC fields.
3. If the cookies are not marked as "secure" (or issued over HTTPS) then it's totally messed up and invalidates PCI etc. directly. Now your credit card transmitted over HTTP.
4. Other than this even though it's rather pointless thing to do, there is not any more direct attack I can think of.
Put it this way, this is not worse than a XSS vulnerability in a website as an XSS can lead more serious issues directly.
1. As explained in the original email XSS attacks now lead CC exposure, very bad
2. If the cookies are not session cookies. It's horrible, then anyone who got access to that computer later can read the cookies and Credit Card. But also don't forget tons of websites still keeps auto-complete enabled!!!! in freaking CC fields.
3. If the cookies are not marked as "secure" (or issued over HTTPS) then it's totally messed up and invalidates PCI etc. directly. Now your credit card transmitted over HTTP.
4. Other than this even though it's rather pointless thing to do, there is not any more direct attack I can think of.
Put it this way, this is not worse than a XSS vulnerability in a website as an XSS can lead more serious issues directly.