Very true. First time I tried it, it got as far as c:bo and stopped cos I was typing too fast. That wouldn't be any use at all.

Mind you, the likelihood of people typing sufficiently slowly for this to catch the keystrokes is high enough to warrant this as a threat. However, that's only if the attacker knew the name of the file to look for. I guess to pull something from My Documents they just need the user to type in their Windows username (eg c:\Documents and settings\[username goes here]\My Documents - they could fill in the rest themselves), but then they'd have to append the document name, say, document1.doc to the end.

If they don't know the filename, this attack is dead in the water. Why would someone enter the name of a document on their system just because some random webpage asks?

I suppose a fix for this would be a warning prompt when a file is about to be sent. Any other suggestions? Is this solution too obtrusive?

Yes. I do this routinely in the SF bay and other places I travel. I browse the web, and I read my POP3 email. I even get the first 100 characters of all my email sent to my phone - I now effectively have an 'email waiting' light (very cool) in my pocket at all times. there are several ways to do this, and I wrote up the way I went (a GSM + Psion PDA combo). The article discusses my 5mx, but I now use the smaller Revo. There is also a port of linux to this PDA family at www.calcaria.net (surprised no one has mentioned it).