Yes, as long as the wifi network is unencrypted, it's vulnerable to this attack. The attacker wouldn't even need a login.
Encryption is the only viable defense, whether it's an encrypted wifi (but note that the encryption ends at the access point, leaving you vulnerable to the network owner, and possibly other users, depending on setup), encryption at the application layer (e.g. https), or an encrypted tunnel (e.g. SSH or a full VPN).