"Fake Mail Form" security hole in Web-based email sites

-Bennett Haselton, bennett@peacefire.org

News sightings: C-Net

See also:
JavaScript-in-cookies security hole
Eudora "stealth attachment" demo page
Internet Explorer "local JavaScript" security hole

This page describes a security hole that we discovered in free Web-based email sites including Yahoo Mail, USA.net and MailExcite. We did verify that HotMail is not affected. Other free email sites such as gURLmail.com and MailCity.com were not tested.

There is no demo available -- not because we think the exploit is too dangerous to reveal the details (the other security exploits listed above are all explained and demonstrated on this site, and some of those are a lot more dangerous than this one), but because the free email sites are fixing the problem even as these words are being written, so the demo would soon be obsolete anyway.

For the exploit to work, you send an email message to (for example) a Yahoo.com email address. After logging in and reading the message, they click on the "Reply" or "Delete" button at the bottom of the Yahoo Mail user interface. This causes the Yahoo Mail site to prompt the user to re-enter their password (due to a "session timeout" or some other made-up reason). When the user re-enters their password, it is intercepted and sent to a hostile site. The user continues reading their mail normally and never notices anything unusual.

The full explanation of how the trick works is available here