Huge Yahoo! authentification security bug

[Gee.B]

A huge bug has been discovered in Yahoo! authentification mechanism affecting third party applications, even those created by Yahoo!A member of the Yahoo! Mail Group has discovered that people having connected third party applications may have a problem if they lose their smartphone. Indeed, despite what Yahoo says, changing the password will not be enough. This will not totally revok access to those third party applications.

Explanations :

Someone using Yahoo! services and owning a smartphone may have have installed the Yahoo Mail application for Android, Yahoo! Messenger on Android and iOS or the Yahoo! Mobile application. Even though those have been developed by Yahoo! those are considered as third party applications just like Yahoo! Messenger for Mac OS X or web services inviting you to connect with your Yahoo! ID like Facebook or Twitterfeed.

Should that person lose his smartphone, he may go ahead and change his Yahoo! password so that no one can actually dig into the address book or read his email. Upon password change, Yahoo! mentions that third party applications access will be revoked, but in truth, the lost/stolen smartphone is not safer that before.

Web user ?sy1bzbn? explains:

What does this mean? It means if you were using the YMail app on your lostphone, then whoever has physical access to it can continue to READ, SEND, and REPLY. If you were using the YMessenger app, then that person can impersonate you until you signed into YMessenger elsewhere.

I myself tested this on the iPhone. After changing my password, a pop-up alerted me that a new authentification was necessary but I could simply tap on it to make it disappear and continue using the Yahoo! Messenger application. I was able to send messages, receive IM notifications, browse my contacts and see who was connected. People?s online status were properly updated live. In fact, I was able to access Yahoo! Messenger, even after rebooting the phone!

The connection was permanently maintained and one has to manually dig into the application options to turn it off. In fact I was able to connect both on my iPhone and on Yahoo! Mail Messenger with the updated password. Two instances were running and the conversations were updating on both screen. Remember ; the two sessions had two different passwords! Only the Yahoo! Voice calls failed to go through.That?s pretty bad for Yahoo!

Source : Clubic.com (French) - translated on Streamlog

[nitins60]

Let yahoo die soon. the worst thing is, they are not really trying to live up like RIM

[ANON86364]

Authentification??

[+BudMan MVC]

if you had an application installed that had access to your account from your mobile device - and you lost one or more of your mobile devices, wouldn't you for starters report the phone lost/stolen and it would be disabled by your phone carrier?

Also wouldn't you just with common sense revoke said applications access to your account? Are you saying the user does not have the ability to revoke applications access to their account once given?

Not a yahoo user myself, but I would think you would have to have the ability to revoke applications access to your account whenever you deemed it fitting.

It does seem like an issue sure - but seems some common sense security measures would clearly mitigate the issue. I would have to think that once it has been pointed to yahoo that they would correct such a flaw posthaste?

[Aethec]

Authentification??

It's the French word - the correct English word is "authentication".

[Gutierrez]

no one cares because no one use yahoo anymore.

[ANON86364]

It's the French word - the correct English word is "authentication".

(Y)

[Gee.B]

@Budman no indeed you cannot really revoked access to those third party apps. Even if you dig in your Yahoo! account and revoke those access + change your password... someone finding your phone will still be able to use those applications with your ID. Those applications need to be manually logged out from the phone...

You tell me it's feature ? i tell you it's a huge bug

[ANON86364]

You tell me it's feature ? i tell you it's a huge bug

A bug implies that a feature is not working as intended. This is more of an oversight. Still, if what you say is true, it doesn't seem acceptable.

[+John Teacake MVC]

Web user ?sy1bzbn? explains:

What does this mean? It means if you were using the YMail app on your lostphone, then whoever has physical access to it can continue to READ, SEND, and REPLY. If you were using the YMessenger app, then that person can impersonate you until you signed into YMessenger elsewhere.

Isnt that stating the obvious. and I like how they say "Web User" haha as if they were some kind of Technology Expert lol

[+BudMan MVC]

Again I am not a yahoo user, but I think its unfathomable to me that the user would not have the ability to REVOKE an applications access to their account?

On google for example

I can see how there could be an issue with just changing your password does not revoke. User would not like the fact that every time they changed their password all applications lost access. That could be a nightmare. But you should be able to REVOKE their access.

But yeah change of email password not revoking application access to me would seem like a feature ;) Users would be dumbfounded why X no longer worked every time they changed their yahoo email password.

I don't see a major issue with that, IF the user can directly revoke access from said application via some method.

edit: ok quick google ;)

http://help.yahoo.com/l/us/yahoo/developer/moreinfo/moreinfoapis.html

Changing Permissions If you previously granted a third-party application access to your data, you may revoke permissions at any time by visiting your Application Management page. Doing so might adversely affect the performance and functionality of installed applications if it requires access to your profile data.

Seems like to me you can revoke access whenever you want.

The above article says the user changed his password, he says nothing about actually revoking access.. So I would have to agree, like I said an application should not be revoked just because you changed your yahoo email password. That would be a big issue for lots and lots of users!!

edit2: I think I might try this, I know I can install yahoo on my blackberry -- I think I will give it a try. Because sofar it seems like this article is pure scaremongering from what I can tell. No **** changing your password on your email should not revoke all applications access, why would anyone think that. And where did they read that from yahoo?

Ok created an yahoo account.. Logged in, then when to change my password - I don't see anything saying my applications access will be revoked?

Now I have to leave - the beer after work is calling me ;) But while at the bar I will install yahoo on my phone. And then later I will revoke it and see what happens..

If you want to chat with me at the bar, my new yahoo account is [email protected] ;)

[Gee.B]

@ChuckFinley : "Isnt that stating the obvious. and I like how they say "Web User" haha as if they were some kind of Technology Expert lol"

And you think you are.... ?

@Budman : Again

I had Yahoo Messenger installed and running on the iPhone.

I quit the app

I changed my password

I got a message telling me that my third party application would not work

I check my iPhone=> Yahoo! Messenger still working

Also manually revoking access to 3rd party apps through the account notification would not do it.

I check my iPhone=> Yahoo! Messenger still working

Not sure how to make it clearer

[+Warwagon MVC]

Well you know what they say.

"What does Flem, and yahoo mail have in common"? They both get hacked!

[+BudMan MVC]

Again no where on the change password page does it say its going to revoke anything??

I changed my yahoo account password, did not say anything about revoking my apps

here are my apps

So after I changed my password on my Account I went back to my kindle fire - and says sign in required, and will not let me access my mail. No hitting cancel or backspace, etc.. did not let me in. So from my own testing so far is not matching up with what your saying.

Here is me changing my password -- where are you saying your getting told changing your password will revoke or break your applications?

Now in the morning I will try it on my blackberry and see what happens with messenger app, wouldn't install on my KF but got a IMO app to work with yahoo, but I want to test actually chatting and contacts etc.. and then go in and test.

But so far changing password blocked access on my KF yahoo mail app, and I didn't even revoke access.

[Gee.B]

@BudMan : "I changed my yahoo account password, did not say anything about revoking my apps"

Really ? ...I did the process again, here is what i get

I went back to my Yahoo! Messenger on the iPhone and here is what i get:

Now as stated before, all i have to do is to tap on this notification to continue using the application logged in with a different password (the previous one). And again, as stated before, i can reboot the phone or quit the application so that it's not running in the background... i'll still be able to use it. I have to manually sign out byt going into the options at shown below :

[+BudMan MVC]

What is "Yahoo! Go Phone" -- I do not think that is the messenger app your using. Which I see here and doesn't seem like its called that

http://itunes.apple....d309219097?mt=8

So ok it revoked app A, does not mean app B will not still work.. Like I said changing your password should really not revoke apps.

I went to go check my blackberry this morning - and it seems our IT dept has blocked by policy messenger ;) Other yahoo app I found was just a mobile frontend not really an app. Wait til my son wakes up and will try on his phone, I know he uses yahoo messenger..

Dude sorry what I am seeing is not matching up with what your saying.. Now go into your apps, see that link there and do you see a messenger link. Revoke THAT, now does you messenger work on your phone?

[Gee.B]

Well, anyways, I contacted Yahoo! Security a few days ago and they came back to me saying that in some cases they found no problem and in other cases they were able to replicate the problem. I was told that they were working on a fix. That's the good news for Yahoo! users i guess :)

Not sure how this is gonna be deployed. Either though an app update or on their server side...

[+BudMan MVC]

Please post said email, because to be honest I find it unlikely that they would contact you in a couple of days and admit to such an issue so openly.

[Gee.B]

You find it "unlikely". Seriously, who do you think you are to judge each of my posts like this ?

if I tell this happened, then this happened.

But then you know what. i could as well say that i don't believe what you said earlier. You just photoshoped images and invented a story as well.

It was not an email it was a phone call.

You want to see the previous warning i sent to them ? Sure. Do you read French? here is the first reply

http://img814.images...2789/emailf.jpg

Have fun

I work as a journalist and this French Yahoo! PR contacted Yahoo Security EMEA and Sunnyvale and call me back at lunch time

Do you also want her phone number to check ? Cause i can give it to you if you're still skeptical ? You wanna call her? Let me know i'll PM you her number but then you better record your phone conversation.

[+BudMan MVC]

Dude I am not judging your posts, I am just saying I could not duplicate anything you were saying.

You post something that could be seen as pure SCARE MONGERING and yahoo bashing -- ie their security is flawed.

Your tests should be very easy for someone to duplicate -- I don't see anyone here in this thread saying they could duplicate your example. Seem I was the only one even attempting to verify your statements. And from my test they did not hold water - sorry!

So have you actually went in and revoked access to messenger?

I really shouldn't have to repeat myself that changing a password does not mean applications that you have given access to should be revoked from said access.

Your post of Go Yahoo when you changed your passed -- that does not seem like "messenger" to me.

So post up your applications -- I posted mine showing messenger and mail applications having access. And all I had to do was change my password and email on my KF instantly required password to re access. But to be honest I should really have to revoke the access directly to cause what it did.

So actually Revoke messanger application from having access and then lets see your access and there might be something to talk about.

You have not shown anything backing up your claim that makes sense, and then you say you contacted Yahoo and they got back to you saying that they duplicated your issue some times, in 2 days they lab this out and got back to you -- come on dude how can someone not be skeptical at such claims.

[Gee.B]

Again what do you not understand here?

YES i did manually revok those applications and YES again, described in the first post, i was able to access Y! Messenger after that

Yahoo Go Phone is a former java-based Yahoo Mobile app. It is immediately added to my Yahoo account when first signing Yahoo! Messenger on the iPhone which means that Yahoo Go became Yahoo! Messenger

And this is precisely written by the web user in the link i mention in my 1st post.

http://groups.yahoo.com/group/Y-Mail/message/22692