A possible attack
But what if one of those people answering wasn't interested in being helpful so much as gaining control over other users? Suppose this person was able to inject a little bit of code (and remember, with over 80% of sites vulnerable at some point in their lifetimes, it may just be a matter of waiting).
So here, let's suppose poster #2 has injected some code that changes the login box so that it sends usernames and passwords out to attacker.com.
Note: This is part of my presentation on Visual Security Policy for the Web.
Note 2: As far as i know, there is no such attack possible on the Drupal forums; I just used them because they made a nice screenshot.