The problem with prolonged origin compromises is that they can bypass other security precautions as well. For example, if someone connects to an unsafe wireless access point, their browser can be tricked into thinking it has visited, say, Facebook.com through a combination of DNS poisoning and invisible frames containing rogue code, all without the user being aware. Later, that rogue code can hijack a real Facebook session when the user is logged in from a safe environment.
Such attacks can also lead to multiple account compromises if the affected computers are used by different individuals. They are not yet common because there are other, simpler techniques that hackers use, including exploiting remote code execution vulnerabilities. However, as exploit mitigation technologies advance, that could change.
"Today, it's so easy to phish users or exploit real RCE [remote code execution] bugs that backdooring Web origins is not worth the effort. But in a not-too-distant future, that balance may shift," warned Zalewski, who wants browser vendors to act now to make sure that point is never reached.