The following frequently asked questions relate to the OAuth security issue announced April 22, 2009.
OAuth is an open standard that lets users give a service permission to access the information they've stored with a third-party website without exposing their password and account information.
It was recently discovered that versions prior to the OAuth Core 1.0 Revision A update contained a session fixation security vulnerability.
Yahoo! has worked with the OAuth community to revise the OAuth protocol and fix this issue, as seen in the latest OAuth Core 1.0 Rev. A specification. For more information on the new Yahoo! OAuth authorization flow, refer to the Yahoo! OAuth Quick Start Guide, which also reflects the latest update to the OAuth spec.
No, you should plan to update your application to be compliant with OAuth Core 1.0 Revision A. We plan to shut down support for the older versions of the protocol on Monday, November 9, 2009. You will be presented with an error message after the shutdown date.
The following Yahoo! services are affected:
Yes. Due to the OAuth vulnerability, My Yahoo! users are not allowed to add certain applications that require OAuth, such as the GMail app for My Yahoo!.
No, users who have already authorized access are not affected.
Only 3-legged OAuth is affected. 2-legged OAuth is unaffected by this issue. For more information about the difference between two and three legged OAuth, see the Yahoo! OAuth Quick Start Guide.
No. Yahoo! Browser-Based Authentication (BBAuth) is a Yahoo! proprietary authorization service and is not affected.
No. Yahoo! Application Platform is unaffected by this issue with the OAuth protocol.
Yahoo! embraces the Open Web. Since OAuth is an open service, a large pool of experts can assist in finding issues and continually make improvements to the OAuth protocol. Simply using a proprietary service prevents a service from getting the same level of review.
OpenID acts as a single sign-on service and is not meant to serve as an authorization service.