Comment by danielweber

From what I've learned, it reports back if it gets something, when it should get nothing.

How vulnerable a specific site is depends on luck. Yahoo must have broken a whole bunch of mirrors because total amateurs can send mail.yahoo.com a certain blob of code and it has a good chance of returning a stranger's password.