How would they go about fixing that? Verified by Visa is the same - you get redirected to some random domain "arcot.com"?. There's a verification code, but that's viewable by anyone that has your credit card (including the site operator where you just input your CC number).
Wouldn't Coinbase need to fully redirect to their own domain, or popup a window with the URL visible in order for users to know they're really dealing with Coinbase?
Yes, of course
Sure, the user needs to allow the permissions first, but the warning where disproportionate to the power it gave away.
They've disabled this kind of access since though.
They should stop asking for user's password right there, because it makes people trust any iframe