OAuth Security Issue FAQ

The following frequently asked questions relate to the OAuth security issue announced April 22, 2009.

Q: What is OAuth?

OAuth is an open standard that lets users give a service permission to access the information they've stored with a third-party website without exposing their password and account information.

Q. What is the recent OAuth vulnerability?

It was recently discovered that versions prior to the OAuth Core 1.0 Revision A update contained a session fixation security vulnerability.

Q: What steps is Yahoo! taking to remedy this issue?

Yahoo! has worked with the OAuth community to revise the OAuth protocol and fix this issue, as seen in the latest OAuth Core 1.0 Rev. A specification. For more information on the new Yahoo! OAuth authorization flow, refer to the Yahoo! OAuth Quick Start Guide, which also reflects the latest update to the OAuth spec.

Q: Can developers continue to create applications and services that use the older version of 3-legged OAuth?

No, you should plan to update your application to be compliant with OAuth Core 1.0 Revision A. We plan to shut down support for the older versions of the protocol on Monday, November 9, 2009. You will be presented with an error message after the shutdown date.

Q: What Yahoo! services are affected?

The following Yahoo! services are affected:

  • All Yahoo! Open Strategy (Y!OS) Open Applications using the Social APIs, including Updates, Social Directory, Contacts, and Status services.
  • YQL private data tables that require 3-legged OAuth.
  • Fire Eagle OAuth.

Q. Does this issue affect My Yahoo! users?

Yes. Due to the OAuth vulnerability, My Yahoo! users are not allowed to add certain applications that require OAuth, such as the GMail app for My Yahoo!.

Q: Does this affect users who already have authorized access?

No, users who have already authorized access are not affected.

Q: Does this affect both 2 and 3-legged OAuth authorization?

Only 3-legged OAuth is affected. 2-legged OAuth is unaffected by this issue. For more information about the difference between two and three legged OAuth, see the Yahoo! OAuth Quick Start Guide.

Q: Does this affect authorization using BBAuth?

No. Yahoo! Browser-Based Authentication (BBAuth) is a Yahoo! proprietary authorization service and is not affected.

Q: Does this issue affect applications on Yahoo! Application Platform?

No. Yahoo! Application Platform is unaffected by this issue with the OAuth protocol.

Q: Should Yahoo! support only a proprietary service like BBAuth instead of OAuth?

Yahoo! embraces the Open Web. Since OAuth is an open service, a large pool of experts can assist in finding issues and continually make improvements to the OAuth protocol. Simply using a proprietary service prevents a service from getting the same level of review.

Q: Should OpenID be used instead of regular OAuth to avoid this problem?

OpenID acts as a single sign-on service and is not meant to serve as an authorization service.