OAuth Security Issue FAQ
The following frequently asked questions relate to the OAuth security issue announced April 22, 2009.
- What is OAuth?
- Why is Yahoo! warning users prior to OAuth authorization?
- What steps is Yahoo! taking to remedy this issue?
- Can developers continue to create applications and services that use 3-legged OAuth?
- What Yahoo! services are affected?
- Does this issue affect My Yahoo! users?
- Does this affect users who already have authorized access?
- Does this affect both 2 and 3-legged OAuth authorization?
- Does this affect authorization using BBAuth?
- Does this issue affect applications on Yahoo! Application Platform?
- Should Yahoo! support only a proprietary service like BBAuth instead of OAuth
- Should OpenID be used instead of regular OAuth to avoid this problem?
OAuth is an open standard that lets users give a service permission to access the information they've stored with a third-party website without exposing their password and account information.
It was recently discovered that versions prior to the OAuth Core 1.0 Revision A update contained a session fixation security vulnerability.
Yahoo! has worked with the OAuth community to revise the OAuth protocol and fix this issue, as seen in the latest OAuth Core 1.0 Rev. A specification. For more information on the new Yahoo! OAuth authorization flow, refer to the Yahoo! OAuth Quick Start Guide, which also reflects the latest update to the OAuth spec.
Q: Can developers continue to create applications and services that use the older version of 3-legged OAuth?
No, you should plan to update your application to be compliant with OAuth Core 1.0 Revision A. We plan to shut down support for the older versions of the protocol on Monday, November 9, 2009. You will be presented with an error message after the shutdown date.
The following Yahoo! services are affected:
- All Yahoo! Open Strategy (Y!OS) Open Applications using the Social APIs, including Updates, Social Directory, Contacts, and Status services.
- YQL private data tables that require 3-legged OAuth.
- Fire Eagle OAuth.
Yes. Due to the OAuth vulnerability, My Yahoo! users are not allowed to add certain applications that require OAuth, such as the GMail app for My Yahoo!.
No, users who have already authorized access are not affected.
Only 3-legged OAuth is affected. 2-legged OAuth is unaffected by this issue. For more information about the difference between two and three legged OAuth, see the Yahoo! OAuth Quick Start Guide.
No. Yahoo! Browser-Based Authentication (BBAuth) is a Yahoo! proprietary authorization service and is not affected.
No. Yahoo! Application Platform is unaffected by this issue with the OAuth protocol.
Yahoo! embraces the Open Web. Since OAuth is an open service, a large pool of experts can assist in finding issues and continually make improvements to the OAuth protocol. Simply using a proprietary service prevents a service from getting the same level of review.
OpenID acts as a single sign-on service and is not meant to serve as an authorization service.