Brian Krebs of the Washington (DC, US) Post has an explanation of the way it works (is that “htp” a typo or does he really mean a preprocessor?).
Consider the following scenario. You log into your Gmail account on a wireless hotspot at the local coffee bar, being careful to do so by clicking on a bookmark that sends you to https://mail.google.com. In between reading your e-mail, for example, you surf over to another trusted Web site. A bad guy who has hijacked the establishment’s network sees that you’ve requested a new Web page and appends a tiny image at htp://mail.google.com to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials.
One does not have to be in a wi-fi environment for the exploit to work, though. One could probably have one’s cookies invoked by a hi-jacked Web page.
Read Mr. Krebs’ article.
Read a collection of Mr. Perry’s notes on the topic.