Amit Klein has been coming out with some great stuff lately. First with his Flash header spoofing and expect vulnerability and more recently using the same header spoofing he can actually use Flash to steal user credentials. Holy crap!
Here’s the basic principle. If the user is sitting behind certain transparent proxies, if you send a Host: header through the Flash redirection the transparent proxy will send the request to whatever Host you specified. The browser is ignorant of that and will add the credentials as expected and your credentials will now be passed to another host.
Likewise if the machine you are interested in is sitting on a shared host you don’t need a transparent proxy. Just get an account on the same machine (same IP) and have the content forwarded to you instead of the correct virtual host. Gotta love it.