{"_id":"5c08313d1d620502e101ea6f","project":"545137a814af501a00b50cf9","initVersion":{"_id":"545137a814af501a00b50cfc","version":"1.0"},"user":{"_id":"5638f69b22afbc0d001f23c1","username":"","name":"Yammer Platform DL"},"__v":0,"createdAt":"2018-12-05T20:12:45.921Z","changelog":[],"body":"During a recent security review, the Yammer team investigated making a change to the redirect URL that apps use to redirect users from Yammer's Allow/Deny screen back into their app. The redirect URL setting allows app developers to determine where the authorizing OAuth user's access token is sent and in certain configurations could be used to trick the user into revealing their credentials to a malicious party.\n\nTo prevent this, Yammer has decided to change the redirect URL validation so that only one domain can be redirected to, rather than allowing the redirect URL to specify subdomains during the request.","slug":"yammer-will-now-restrict-redirect-urls-to-the-specific-url-provided","title":"Yammer will now restrict redirect URLs to the specific URL provided"}

Yammer will now restrict redirect URLs to the specific URL provided


During a recent security review, the Yammer team investigated making a change to the redirect URL that apps use to redirect users from Yammer's Allow/Deny screen back into their app. The redirect URL setting allows app developers to determine where the authorizing OAuth user's access token is sent and in certain configurations could be used to trick the user into revealing their credentials to a malicious party. To prevent this, Yammer has decided to change the redirect URL validation so that only one domain can be redirected to, rather than allowing the redirect URL to specify subdomains during the request.