Isn’t it already game over if malware can write into your hostfile? At least on Windows you need some elevated access for it, which means such malware could just read/write the target program’s memory directly instead of resorting to clunky MitM.
Yeah, I also found out when I was manually testing our product’s logged-out UX at work and the 2nd trial started logged in.
Very nice. The old execCommand API was annoying.