This post has been republished via RSS; it originally appeared at: Yammer Blog articles.
During a recent security review, the Yammer team investigated making a change to the redirect URL that apps use to redirect users from Yammer's Allow/Deny screen back into their app. The redirect URL setting allows app developers to determine where the authorizing OAuth user's access token is sent and in certain configurations could be used to trick the user into revealing their credentials to a malicious party.
To prevent this, Yammer has decided to change the redirect URL validation so that only one domain can be redirected to, rather than allowing the redirect URL to specify subdomains during the request.