After revoking access to an app, the contacts API still returns contact information
We've found that if a user grants permission to a Yahoo! application to read their contacts, then revokes permission via the Yahoo! "Manage apps and website connections" page, the app is still able to call the contacts endpoint and retrieve the user's current contact data.
Here's the API we're using to retrieve the contact info: