Transaction Response / Security Issue?

Hi Sean,

Just looking through the response data I receive when I drop a player, which seems different than I remember it being. For starters, I got a 201 Created response code, but I swore I got an OK before, is that correct?

Second, and main issue, it seems the response also sends back the league password in plaintext within the response:

<?xml version="1.0" encoding="UTF-8"?>
<fantasy_content xml:lang="en-US" yahoo:uri="http://fantasysports.yahooapis.com/fantasy/v2/league/{key}/transactions" xmlns:yahoo="http://www.yahooapis.com/v1/base.rng" time="10.579109191895ms" copyright="Data provided by Yahoo! and STATS, LLC" xmlns="http://fantasysports.yahooapis.com/fantasy/v2/base.rng">
<password>{MY PASSWORD HERE}</password>
<transactions count="1">
<players count="1">
<full>Josh Johnson</full>

I'm not sure if this was intentional or not, but some could construe it as a possible security issue if passwords are sent in plaintext within the XML.

2 Replies
  • Re: 201 Status Code: yes, we did switch a couple of services to return back a 201 code instead of a 200, mostly in times where it was difficult to determine which response text to return back, but we wanted to make sure we said that everything was looking cool. That was mostly used for things like vetoing trades and whatnot, which could potentially delete the resource that you were PUTting to, though. I wouldn't have thought that a standard drop action (POSTing a drop transaction to the transactions collection) would be unable to figure back content to return, though -- would you be able to include the URL that you're POSTing to and a rough example of the XML you'd be putting up there?

    Re: Passwords: We will return back the league password if the logged in user is the commissioner of the league. Depending on how you think about passwords, yeah, this would be a security issue, but we generally don't hold league passwords to a high standard -- they're more a low barrier to entry than a truly secure entity. You'll note that we also send league passwords in emails, have users enter league passwords over non-HTTPS connections, etc. You're also by nature giving out these passwords to up to 20 other potentially random people. So we don't put any particularly special safeguards around it.

    (Yahoo! account passwords are obviously a very different story, where we highly value and put a significant amount of effort into their security)
  • Thanks for the response, no problem about the passwords, I just noticed it suddenly and wasn't sure if it was felt that it could be important or not.

    As for the the POSTing XML and URL:
    Pretty straight forward XML:
    <type> drop</type>


Recent Posts

in Fantasy Sports API