OAuth Update #2

On Wednesday, upon discovery of security issue within the OAuth protocol, we disabled the ability for users to authorize new applications via OAuth on Yahoo! (apps that had already been authorized were not affected). Obviously, this has been a challenge for you as developers since you haven?t been able to test any apps that rely on our Y!OS Updates, Social Directory, Status, Contacts, or Fire Eagle APIs .

After working on the problem yesterday, we?ve now decided to turn OAuth back on for developers testing their own apps on Yahoo!, but with the addition of a new interstitial warning screen preceding the normal Yahoo! OAuth permissions flow. Here's a screenshot of the warning screen:


Basically, we?ve decided to re-enable OAuth so that you can test your own apps and not slow down your development cycles. If you choose do so, we recommend creating a test account and using test data.

Please keep in mind that we are strongly discouraging Yahoo! end-users from authorizing new apps that use OAuth until this security issue is resolved.

As we mentioned yesterday, we?re actively working with the OAuth community to solve this security issue. Stay tuned for updates.

Allen Tom
Architect, Yahoo! Membership