20 replies to this topic

[Guillaume B]

A huge bug has been discovered in Yahoo! authentification mechanism affecting third party applications, even those created by Yahoo!A member of the Yahoo! Mail Group has discovered that people having connected third party applications may have a problem if they lose their smartphone. Indeed, despite what Yahoo says, changing the password will not be enough. This will not totally revok access to those third party applications.

Explanations :

Someone using Yahoo! services and owning a smartphone may have have installed the Yahoo Mail application for Android, Yahoo! Messenger on Android and iOS or the Yahoo! Mobile application. Even though those have been developed by Yahoo! those are considered as third party applications just like Yahoo! Messenger for Mac OS X or web services inviting you to connect with your Yahoo! ID like Facebook or Twitterfeed.

Should that person lose his smartphone, he may go ahead and change his Yahoo! password so that no one can actually dig into the address book or read his email. Upon password change, Yahoo! mentions that third party applications access will be revoked, but in truth, the lost/stolen smartphone is not safer that before.

Web user “sy1bzbn” explains:

What does this mean? It means if you were using the YMail app on your lostphone, then whoever has physical access to it can continue to READ, SEND, and REPLY. If you were using the YMessenger app, then that person can impersonate you until you signed into YMessenger elsewhere.

I myself tested this on the iPhone. After changing my password, a pop-up alerted me that a new authentification was necessary but I could simply tap on it to make it disappear and continue using the Yahoo! Messenger application. I was able to send messages, receive IM notifications, browse my contacts and see who was connected. People’s online status were properly updated live. In fact, I was able to access Yahoo! Messenger, even after rebooting the phone!

The connection was permanently maintained and one has to manually dig into the application options to turn it off. In fact I was able to connect both on my iPhone and on Yahoo! Mail Messenger with the updated password. Two instances were running and the conversations were updating on both screen. Remember ; the two sessions had two different passwords! Only the Yahoo! Voice calls failed to go through.That’s pretty bad for Yahoo!

Source : Clubic.com (French) - translated on Streamlog

[nitins60]

Let yahoo die soon. the worst thing is, they are not really trying to live up like RIM

[Xenosion]

Authentification??

[+BudMan]

if you had an application installed that had access to your account from your mobile device - and you lost one or more of your mobile devices, wouldn't you for starters report the phone lost/stolen and it would be disabled by your phone carrier?

Also wouldn't you just with common sense revoke said applications access to your account? Are you saying the user does not have the ability to revoke applications access to their account once given?

Not a yahoo user myself, but I would think you would have to have the ability to revoke applications access to your account whenever you deemed it fitting.

It does seem like an issue sure - but seems some common sense security measures would clearly mitigate the issue. I would have to think that once it has been pointed to yahoo that they would correct such a flaw posthaste?

[Aethec]

Xenosion, on 17 January 2012 - 12:39, said:

Authentification??

It's the French word - the correct English word is "authentication".

[Gutierrez]

no one cares because no one use yahoo anymore.

[Xenosion]

Aethec, on 17 January 2012 - 16:24, said:

It's the French word - the correct English word is "authentication".

[Guillaume B]

@Budman no indeed you cannot really revoked access to those third party apps. Even if you dig in your Yahoo! account and revoke those access + change your password... someone finding your phone will still be able to use those applications with your ID. Those applications need to be manually logged out from the phone...

You tell me it's feature ? i tell you it's a huge bug

[Xenosion]

Guillaume B, on 17 January 2012 - 18:08, said:

You tell me it's feature ? i tell you it's a huge bug

A bug implies that a feature is not working as intended. This is more of an oversight. Still, if what you say is true, it doesn't seem acceptable.

[ChuckFinley]

Web user “sy1bzbn” explains:

What does this mean? It means if you were using the YMail app on your lostphone, then whoever has physical access to it can continue to READ, SEND, and REPLY. If you were using the YMessenger app, then that person can impersonate you until you signed into YMessenger elsewhere.

Isnt that stating the obvious. and I like how they say "Web User" haha as if they were some kind of Technology Expert lol

[+BudMan]

Again I am not a yahoo user, but I think its unfathomable to me that the user would not have the ability to REVOKE an applications access to their account?

On google for example



I can see how there could be an issue with just changing your password does not revoke. User would not like the fact that every time they changed their password all applications lost access. That could be a nightmare. But you should be able to REVOKE their access.

But yeah change of email password not revoking application access to me would seem like a feature Users would be dumbfounded why X no longer worked every time they changed their yahoo email password.

I don't see a major issue with that, IF the user can directly revoke access from said application via some method.

edit: ok quick google
http://help.yahoo.co...reinfoapis.html

Changing Permissions If you previously granted a third-party application access to your data, you may revoke permissions at any time by visiting your Application Management page. Doing so might adversely affect the performance and functionality of installed applications if it requires access to your profile data.

Seems like to me you can revoke access whenever you want.

The above article says the user changed his password, he says nothing about actually revoking access.. So I would have to agree, like I said an application should not be revoked just because you changed your yahoo email password. That would be a big issue for lots and lots of users!!

edit2: I think I might try this, I know I can install yahoo on my blackberry -- I think I will give it a try. Because sofar it seems like this article is pure scaremongering from what I can tell. No **** changing your password on your email should not revoke all applications access, why would anyone think that. And where did they read that from yahoo?

Ok created an yahoo account.. Logged in, then when to change my password - I don't see anything saying my applications access will be revoked?



Now I have to leave - the beer after work is calling me But while at the bar I will install yahoo on my phone. And then later I will revoke it and see what happens..

If you want to chat with me at the bar, my new yahoo account is mister.budman@yahoo.com

[Guillaume B]

@ChuckFinley : "Isnt that stating the obvious. and I like how they say "Web User" haha as if they were some kind of Technology Expert lol"

And you think you are.... ?

@Budman : Again
I had Yahoo Messenger installed and running on the iPhone.
I quit the app
I changed my password
I got a message telling me that my third party application would not work

I check my iPhone=> Yahoo! Messenger still working

Also manually revoking access to 3rd party apps through the account notification would not do it.

I check my iPhone=> Yahoo! Messenger still working

Not sure how to make it clearer

[+warwagon]

Well you know what they say.

"What does Flem, and yahoo mail have in common"? They both get hacked!

[+BudMan]

Again no where on the change password page does it say its going to revoke anything??

I changed my yahoo account password, did not say anything about revoking my apps

here are my apps



So after I changed my password on my Account I went back to my kindle fire - and says sign in required, and will not let me access my mail. No hitting cancel or backspace, etc.. did not let me in. So from my own testing so far is not matching up with what your saying.

Here is me changing my password -- where are you saying your getting told changing your password will revoke or break your applications?



Now in the morning I will try it on my blackberry and see what happens with messenger app, wouldn't install on my KF but got a IMO app to work with yahoo, but I want to test actually chatting and contacts etc.. and then go in and test.

But so far changing password blocked access on my KF yahoo mail app, and I didn't even revoke access.

[Guillaume B]

@BudMan : "I changed my yahoo account password, did not say anything about revoking my apps"

Really ? ...I did the process again, here is what i get



I went back to my Yahoo! Messenger on the iPhone and here is what i get:



Now as stated before, all i have to do is to tap on this notification to continue using the application logged in with a different password (the previous one). And again, as stated before, i can reboot the phone or quit the application so that it's not running in the background... i'll still be able to use it. I have to manually sign out byt going into the options at shown below :