Until then, criminals who discover the flaw could write code that checks whether Web surfers are logged into, for example, a predetermined list of 100 banking sites. "Instead of just popping up this random phishing message, an attacker can get more sophisticated by probing and finding out whether the user is currently logged into one of 100 financial institution Web sites," he said.

"The fact that you're currently in-session lends a lot of credibility to the phishing message," he added.

Security researchers have developed to determine whether a victim is logged into a certain site, but they are not always reliable. Klein said his technique doesn't always work but it can be used on many sites including banks, on-line retailers, gaming and social networking sites.