I state not to be an expert:
this is a big problem!
I noticed that if you use systems "windows-obsolete" in my case winxp-sp3-NO-update .... NOT the connection is interrupted!
(SET) siteclone facebook> credential-harvester >> vs >> xp-sp3
if the login is true / false> the traffic return to login-page .. && .. (attackers have credentials)
i tested with IE8, crome (last) firefox (last)
while on my Win7/8 fully patched the traffic connection is reset!
but ........ (attackers have credentials)