Hacker News new | comments | show | ask | jobs | submit login
YoAuth (yoauth.herokuapp.com)
130 points by ClifReeder on July 28, 2014 | hide | past | web | favorite | 46 comments



Holy insecure demo batman

https://yoauth.herokuapp.com/authorize?redirect_to=http%3A%2...

And they want me to trust them with authentication?



The 2 hour product was doomed, but I've rewritten it enough to be secure.


Yo is useless and IMO anyone that has or will put money into it no longer has any credibility as an angel/VC. Yoauth actually is comparatively useful, but unfortunately Yo does not and never will have the critical mass to make anyone want to implement it as an authentication scheme. Twitter is a distant second to Facebook in the authentication space, and Yo is no Twitter.


To be fair, we don't know what goes on behind the scenes. Yo has simply proven that its creators are audacious enough, and good enough at marketing, to make something go viral. Perhaps they have other ideas, other business plans that are currently in stealth, and they're getting funding for them under the Yo umbrella. These are smart people investing in them, and Occam's Razor would seem to indicate that it's highly unlikely that the investors all got collective amnesia from head injuries and changed their vetting/due diligence strategies overnight.


The recurring excuse for the investment is "look at the engagement". Toilets have incredible engagement as well - billions of people use them multiple times per day - but we don't put millions of investment dollars into them. Well, maybe the people investing in Yo do, but most people don't.


Yes, and if you showed me impressive engagement and virality metrics for a toilet that had network effects and a plausible recurring revenue stream (ads), then I would definitely invest (of course no such toilet product exists - toilets don't have strong network effects and don't have a plausible recurring revenue stream in the form of ads).


> virality metrics for a toilet

Toilets: the only technology sector where there's a direct correlation between "input sanitization" and "virality metrics..."


The toilet is probably a bad comparison. Smart people are putting millions of dollars into improving them.

http://www.gatesfoundation.org/media-center/press-releases/2...


Don't get me wrong, the app is fairly ridiculous. Projects like this though help show what even the simplest of concepts can provide, though.

To be fair, I'm not sure how secure YoAuth would be, but this particular hack seems like an awesome use of it. It's simple to use and could compete alongside something like Google Authenticator as a simple way to log in to something.


I just a headline today that the company behind yo released a new photo messaging app: http://thenextweb.com/apps/2014/07/28/makers-yo-back-new-mes...


I'm really glad this saw the light of day. So many people were criticizing Yo for being 'useless' and all that, instead of trying to think about what to create with it.


Much easier to berate than create.


Error: Invalid username

I see this string in the URL on the demo page so I'm not sure what this does.


Same here. I'm having a hard time understanding why I should use this. What's the benefit?


You need to use your Yo username.


Where is that explained anywhere in the user interface? Or perhaps in the title of the page? Or maybe the link title here?


Is it easy to "Yo" back someone if they're not in your contacts? On the android app I don't see how to do that.

Also, the security of this seems questionable.

There are other, more interesting uses of the yo API: https://medium.com/@YoAppStatus/yo-developers-api-e7f2f0ec5c...


The security is way beyond questionable.

Seriously, don't use this. (Alice tries to log in to Bob's account. Bob receives a yo. Bob yos back to be nice without knowing this is an oauth scheme. Alice now has access to Bob's account.)

But that's not to critique these guys, because I think this is a fantastic hackathon project!


As soon as AUTHYO yo-s you, it's popped to the top of your Yo friend list. So it's very quick to yo back.


Why does the user need to receive a Yo? Wouldn't it be better to ask users for their handle, and then tell them to Yo a specific account in 30 seconds? If it worked like that, yoauth couldn't be used for spam, nor could you Yo someone you know in order to get their credentials if they replied.


A friend and I built a similar service (also at the Yo hackathon) and what you mention is similar to the way we handled it. I don't think it's been publicly announced, but Yo can now receive links on iOS.

The service we built (http://yosesame.com) works by having you Yo YOSESAME, which signs you up if you aren't already and responds with a URL that logs you in right way. The way Yoauth approached it is interesting, but you're right it's a bit strange to have to receive a Yo.


The author of YoAuth (Bilawal) is one of the awesome student hackers helping to bring the hackathon movement to the UK. http://mlh.io/about/team#uk-team


Well, this certainly blows my yo-based Pomodoro Timer out of the water.



What if you enter someone else's Yo handle and the user naively Yo back, you will then access his account/data/whatever, I imagine.


So I can use your app to spam other people? Nice :)


I would recommend http://yofor.me/ for that


Even my non-developer friends think this is awesome.

Because it is.


Wow, I was also working on this exact thing... Even own www.yoauth.com and the 'YOAUTH' username on yo....

Glad someone made it a reality!


What if the user doesn't receive the Yo in time to authorize? Yo's always seem to take a while to reach me.


<3 so much creativity out there.


I authenticated as authyo using two tabs. Super secure :)

It's a fun hack. Nicely done.


What is the point of this?


It lets you log into websites using Yo.


This doesn't answer the question! :p


Neither does going to justyo.co. :)


Plain http links? I suggest using TLS/SSL for any authentication platform. I know it's a quick hack, but you can quickly setup a secure proxy with Cloudflare.


Actually you don't even need that, *.herokuapp.com comes with https for free.


F! I was working on the same thing! Nice work!


Whats the difference from oAuth?


an edit distance of 1


Upvoted for first instance of Levenshtein-related joke I've ever seen.


All of the other things you've seen have been Levenshtein yokes?


Fully agree, can safely assume I probably won't hear another ever again


this is history in the making right here fellas!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: