The attack, which doesn’t require an adversary to have any man-in-the-middle capability over the network, can be used to lace unencrypted Facebook and Twitter pages with code that causes victims to take unintended actions, such as post messages or follow new users. It can also be used to direct people to fraudulent banking websites and to inject fraudulent messages into chat sessions in some Windows Live Messenger apps.