Ah, that explains why it could get away with "Runtime.getRuntime().exec(str9);".
Now, the thing is, I don't think the forum user mentioned clicking anything. However, it's possible they've stolen the signature from something else, which that person has previously chosen to "Always Accept"? (I don't know if Java lets you do that)
Since I don't have an mtgox account, and I have a fair degree of confidence that the code posted can't possibly escape the Java sandbox, I decided to live dangerously and try loading the page.
Here's the warning screen that comes up when you load it: http://i.imgur.com/sXDoFLt.png Note the self-signed certificate from "North Sumatra".
Gotta say, I have no sympathy for someone who clicks through that warning screen and then complains that their credentials got stolen.
Usually these exploit kits will use useragent and the reported plugins to decide what versions of the page to send. If this is a pro job if you were running an exploitable version of java (which a majority of people tend to be) it would push an applet that used an exploit to load its stage 2. But if it decides it doesn't have an exploit for you it takes a different approach like scareware or prompt to run etc.
Ops :/ today I just clicked through that screen to run the bitcoin miner i downloaded from bitminter.com. Because I did not realize that, this is a warning from java, really confusing.
I think this may have been possible due to the purported Java exploit mentioned in the post:
"I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started."
