"If you have saved your login data on any plain-HTTP site that the attacker knows of, he can use his JS shell in the news site to load the site with the login form in an iframe, then inject another JS shell into the iframe and use that to read the password that the browser fills in."
As far as I know incognito mode wont autofill those saved credentials. I think that was the point how incognito mode prevents this kind of attack.
In this attack the user doesn't have to access those HTTP sites with stored credentials by themselves while being connected to the evil network, because the injected script does that for you behind the scenes.
You are right, I wasn't. However, the solution to this is to not use passwords with plain-HTTP sites. Incognito mode will prevent a small surface of drive-by attacks, but the bigger problem if plaintext passwords in cleartext on the wire are also terrible.
"If you have saved your login data on any plain-HTTP site that the attacker knows of, he can use his JS shell in the news site to load the site with the login form in an iframe, then inject another JS shell into the iframe and use that to read the password that the browser fills in."
As far as I know incognito mode wont autofill those saved credentials. I think that was the point how incognito mode prevents this kind of attack.
In this attack the user doesn't have to access those HTTP sites with stored credentials by themselves while being connected to the evil network, because the injected script does that for you behind the scenes.