Home
%3CLINGO-SUB%20id%3D%22lingo-sub-294966%22%20slang%3D%22en-US%22%3EYammer%20will%20now%20restrict%20redirect%20URLs%20to%20the%20specific%20URL%20provided%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294966%22%20slang%3D%22en-US%22%3E%3CP%3EDuring%20a%20recent%20security%20review%2C%20the%20Yammer%20team%20investigated%20making%20a%20change%20to%20the%20redirect%20URL%20that%20apps%20use%20to%20redirect%20users%20from%20Yammer's%20Allow%2FDeny%20screen%20back%20into%20their%20app.%20The%20redirect%20URL%20setting%20allows%20app%20developers%20to%20determine%20where%20the%20authorizing%20OAuth%20user's%20access%20token%20is%20sent%20and%20in%20certain%20configurations%20could%20be%20used%20to%20trick%20the%20user%20into%20revealing%20their%20credentials%20to%20a%20malicious%20party.%3CBR%20%2F%3ETo%20prevent%20this%2C%20Yammer%20has%20decided%20to%20change%20the%20redirect%20URL%20validation%20so%20that%20only%20one%20domain%20can%20be%20redirected%20to%2C%20rather%20than%20allowing%20the%20redirect%20URL%20to%20specify%20subdomains%20during%20the%20request.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-294966%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20past%20any%20subdomains%20of%20the%20parent%20URL%20would%20work%2C%20but%20this%20could%20be%20taken%20advantage%20of%20by%20a%20malicious%20party.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308565%22%20slang%3D%22en-US%22%3ERe%3A%20Yammer%20will%20now%20restrict%20redirect%20URLs%20to%20the%20specific%20URL%20provided%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308565%22%20slang%3D%22en-US%22%3E%3CP%3EConnor%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20changes%20were%20made%20on%20the%20developer%20doc%20site%20in%20the%20section%20App%20Registration%20under%20Basic%20Info.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20essential%20line%20is%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E5)%20You%20must%20be%20specific%20about%20the%20subdomain%20of%20the%20URL.%20Yammer%20will%20not%20redirect%20to%20other%20subdomains.%20For%20example%20if%20you%20provide%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fapples.contoso.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapples.contoso.com%3C%2FA%3E%3CSPAN%3E%2C%20Yammer%20will%20not%20allow%20redirects%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Foranges.contoso.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foranges.contoso.com%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.yammer.com%2Fdocs%2Fapp-registration%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.yammer.com%2Fdocs%2Fapp-registration%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDavid%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308444%22%20slang%3D%22en-US%22%3ERe%3A%20Yammer%20will%20now%20restrict%20redirect%20URLs%20to%20the%20specific%20URL%20provided%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308444%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20David%2C%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20link%26nbsp%3Bme%20to%20the%20relevant%20updated%20technical%20documentation%20reflecting%20this%20change%20please%3F%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EConor%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299626%22%20slang%3D%22en-US%22%3ERe%3A%20Yammer%20will%20now%20restrict%20redirect%20URLs%20to%20the%20specific%20URL%20provided%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299626%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20to%20hear!!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

During a recent security review, the Yammer team investigated making a change to the redirect URL that apps use to redirect users from Yammer's Allow/Deny screen back into their app. The redirect URL setting allows app developers to determine where the authorizing OAuth user's access token is sent and in certain configurations could be used to trick the user into revealing their credentials to a malicious party.
To prevent this, Yammer has decided to change the redirect URL validation so that only one domain can be redirected to, rather than allowing the redirect URL to specify subdomains during the request.

3 Comments
Occasional Visitor

Nice to hear!!  

 

Occasional Visitor

Hi David, 

Could you link me to the relevant updated technical documentation reflecting this change please?

Kind regards,

Conor

Microsoft

Connor,

 

The changes were made on the developer doc site in the section App Registration under Basic Info.

 

The essential line is:

 

5) You must be specific about the subdomain of the URL. Yammer will not redirect to other subdomains. For example if you provide https://apples.contoso.com, Yammer will not allow redirects to https://oranges.contoso.com.

 

https://developer.yammer.com/docs/app-registration

 

David