How the "Fake Mail Form" exploit works

Makes it possible to steal passwords from users of some free Web-based email sites including Yahoo Mail, and MailExcite. (Some of these services may have fixed the problem since this writing.)

You have to send an email message to the user's account at, for example, When they log in to read their mail and click the "Reply" or "Delete" button at the bottom of the message, Yahoo Mail appears to prompt them within the same window, "Session timeout: Please re-enter your password". When the password is re-entered, it is sent to a hostile site and the user continues reading their mail without noticing anything unusual.

How it works

Yahoo! Mail does not re-write the "action" attribute of a <FORM> tag contained in an email message when that message is displayed to the user. Yahoo Mail is smart enough to insert a "target" attribute into a link, for example, so that when you click on a link that someone sends you, it opens in a separate browser window. (This way, you can't fool the user into thinking that they're still inside Yahoo Mail and give them a message like "please re-enter your password".) However, their mail parser does not re-write the <FORM> "action" attribute. (HotMail, on the other hand, does re-write the "action" attribute so this trick won't work.) That means when you click to submit a form inside an HTML email message, the result will be displayed in the same frame.

In order to get the user to submit a form within the Yahoo Mail message, make them think they're clicking on the "Reply" or "Delete" button provided by the Yahoo Mail interface. It's easy to figure out how the Yahoo Mail HTML interface is formatted, so in your HTML message, you just insert your own buttons, tables, etc. to look exactly like the bottom half of the real Yahoo message-reading interface. Follow this with an HTML opening comment "<!--" so that the *real* bottom half of the interface will be hidden. If the user clicks on the "Reply" or "Delete" buttons at the bottom instead of the ones at the top, they'll really be submitting your form.

So, combine these two tricks -- send the user an HTML email message that replaces the buttons at the bottom half of the Yahoo mail interface with your own custom buttons, in a form whose "action" URL is an off-site page (and use a comment "<!--" to hide the real bottom half of the interface). Then, when the user clicks one of those buttons, the form submission will re-direct the user to the off-site page -- all staying within the same frame of the Yahoo Mail interface, so the user thinks they never left Yahoo Mail. The off-site page can say "Timeout, please re-enter your password..."

Suggested fix for Yahoo Mail and other free Web-based email sites:
Yahoo Mail should automatically add a "target" attribute to any <FORM> tag in an email message, so that when the user fills out a form, the results will open in a new browser window, with the real location visible in the Location bar.