You're talking about a phishing attack and it's actually worse for OpenID http://identity.mozilla.com/post/7669886219/how-browserid-di... Once Persona is integrated into browsers it will offer better security. BTW, the iframe is always in a pop-up for this exact reason. It's never an iframe within the context of the website that initiated the login.