

YoAuth - ClifReeder
http://yoauth.herokuapp.com/

======
MasterScrat
Holy insecure demo batman

[https://yoauth.herokuapp.com/authorize?redirect_to=http%3A%2...](https://yoauth.herokuapp.com/authorize?redirect_to=http%3A%2F%2Fyoauth.herokuapp.com%2Ftest.html&username='><MARQUEE>XSS</MARQUEE><!--)

And they want me to trust them with authentication?

~~~
mrThe
[https://yoauth.herokuapp.com/authorize?redirect_to=http://yo...](https://yoauth.herokuapp.com/authorize?redirect_to=http://yoauth.herokuapp.com/test.html%27%3E%3Ch1%3EXSS%3C/h1%3E)
and here too

------
downandout
Yo is useless and IMO anyone that has or will put money into it no longer has
any credibility as an angel/VC. Yoauth actually is comparatively useful, but
unfortunately Yo does not and never will have the critical mass to make anyone
want to implement it as an authentication scheme. Twitter is a distant second
to Facebook in the authentication space, and Yo is no Twitter.

~~~
btown
To be fair, we don't know what goes on behind the scenes. Yo has simply proven
that its creators are audacious enough, and good enough at marketing, to make
something go viral. Perhaps they have other ideas, other business plans that
are currently in stealth, and they're getting funding for them under the Yo
umbrella. These are smart people investing in them, and Occam's Razor would
seem to indicate that it's highly unlikely that the investors all got
collective amnesia from head injuries and changed their vetting/due diligence
strategies overnight.

~~~
downandout
The recurring excuse for the investment is "look at the engagement". Toilets
have incredible engagement as well - billions of people use them multiple
times per day - but we don't put millions of investment dollars into them.
Well, maybe the people investing in Yo do, but most people don't.

~~~
argonaut
Yes, and if you showed me impressive engagement and virality metrics for a
toilet that had network effects and a plausible recurring revenue stream
(ads), then I would definitely invest (of course no such toilet product exists
- toilets don't have strong network effects and don't have a plausible
recurring revenue stream in the form of ads).

~~~
btown
> virality metrics for a toilet

Toilets: the only technology sector where there's a direct correlation between
"input sanitization" and "virality metrics..."

------
underyx
I'm really glad this saw the light of day. So many people were criticizing Yo
for being 'useless' and all that, instead of trying to think about what to
create with it.

~~~
angilly
Much easier to berate than create.

------
sergiotapia
Error: Invalid username

I see this string in the URL on the demo page so I'm not sure what this does.

~~~
freerobby
You need to use your Yo username.

~~~
McGlockenshire
Where is that explained anywhere in the user interface? Or perhaps in the
title of the page? Or maybe the link title here?

------
dergachev
Is it easy to "Yo" back someone if they're not in your contacts? On the
android app I don't see how to do that.

Also, the security of this seems questionable.

There are other, more interesting uses of the yo API:
[https://medium.com/@YoAppStatus/yo-developers-
api-e7f2f0ec5c...](https://medium.com/@YoAppStatus/yo-developers-
api-e7f2f0ec5c3c)

~~~
nostromo
The security is way beyond questionable.

Seriously, don't use this. (Alice tries to log in to Bob's account. Bob
receives a yo. Bob yos back to be nice without knowing this is an oauth
scheme. Alice now has access to Bob's account.)

But that's not to critique these guys, because I think this is a fantastic
hackathon project!

------
rdvrk
Why does the user need to receive a Yo? Wouldn't it be better to ask users for
their handle, and then tell them to Yo a specific account in 30 seconds? If it
worked like that, yoauth couldn't be used for spam, nor could you Yo someone
you know in order to get their credentials if they replied.

~~~
dustincoates
A friend and I built a similar service (also at the Yo hackathon) and what you
mention is similar to the way we handled it. I don't think it's been publicly
announced, but Yo can now receive links on iOS.

The service we built ([http://yosesame.com](http://yosesame.com)) works by
having you Yo YOSESAME, which signs you up if you aren't already and responds
with a URL that logs you in right way. The way Yoauth approached it is
interesting, but you're right it's a bit strange to have to receive a Yo.

------
theyCallMeSwift
The author of YoAuth (Bilawal) is one of the awesome student hackers helping
to bring the hackathon movement to the UK. [http://mlh.io/about/team#uk-
team](http://mlh.io/about/team#uk-team)

------
thebrettd
Well, this certainly blows my yo-based Pomodoro Timer out of the water.

------
reddog9287
You can see a demo here!
[https://www.hackerbracket.com/hacks/show/53d448e3dfb586b54fa...](https://www.hackerbracket.com/hacks/show/53d448e3dfb586b54fab6c44)

------
fndrplayer13
Even my non-developer friends think this is awesome.

Because it is.

------
dsyko
Wow, I was also working on this exact thing... Even own www.yoauth.com and the
'YOAUTH' username on yo....

Glad someone made it a reality!

------
geoffreyy
What if you enter someone else's Yo handle and the user naively Yo back, you
will then access his account/data/whatever, I imagine.

------
icebraining
So I can use your app to spam other people? Nice :)

~~~
meandave
I would recommend [http://yofor.me/](http://yofor.me/) for that

------
notduncansmith
What if the user doesn't receive the Yo in time to authorize? Yo's always seem
to take a while to reach me.

------
msfty
I authenticated as authyo using two tabs. Super secure :)

It's a fun hack. Nicely done.

------
angilly
<3 so much creativity out there.

------
mousetree
What is the point of this?

~~~
angilly
It lets you log into websites using Yo.

~~~
hayd
This doesn't answer the question! :p

~~~
zszugyi
Neither does going to justyo.co. :)

------
mmahemoff
Plain http links? I suggest using TLS/SSL for any authentication platform. I
know it's a quick hack, but you can quickly setup a secure proxy with
Cloudflare.

~~~
pauldino
Actually you don't even need that, *.herokuapp.com comes with https for free.

------
edoceo
F! I was working on the same thing! Nice work!

~~~
thomasreggi
Whats the difference from oAuth?

~~~
haaaaaaryf
an edit distance of 1

~~~
georgemcbay
Upvoted for first instance of Levenshtein-related joke I've ever seen.

~~~
benchin
Fully agree, can safely assume I probably won't hear another ever again

~~~
tomphoolery
this is history in the making right here fellas!

