45
submitted 4 months ago* (last edited 4 months ago) by itappearsthat@hexbear.net to c/technology@hexbear.net

EDIT: Not a scam, see git's comment below.

So I downloaded the No Thanks app, which claims to be a barcode scanner app to tell you whether a product is BDS-compliant. I heard about it after it made the rounds under the narrative of "zionists are mobbing this app with bad reviews saying it's a scam, download it and leave a positive review!"

However, after using it I suspect it might actually be a scam app. Here's why: if you scan a product it tells you whether it's on a boycott list or not. If it isn't on a boycott list, you have the option to press a button to tell them it should be. Then the possible scam kicks in: it pops open a browser window taking you to the gmail web login. Not OAuth, not opening the system mail app with a template mail, straight to the gmail web login screen where you are expected to input your username + password + 2FA. I got all the way to putting in my username + password before being prompted for 2FA and realizing what I was doing was fucking stupid. Changed my gmail password immediately afterward.

Does anybody have any info on whether this thing is legit? It seems like it would make a pretty obvious zionist astroturfing target. Also I scanned a container of tahini that literally said "Product of Israel" on the side and it said it was fine (which precipitated the above sequence of events).

all 7 comments
sorted by: hot top controversial new old
[-] Barx@hexbear.net 15 points 4 months ago

How did you distinguish it from OAuth2? The browser it pops up in may not be one into which you're already logged in, in which case you saw what I would expect to see. Google's (dangerous) OAuth2 UX will first prompt you to login with a generic login page and only then ask if you want to share info with the third party.

However, requiring a Google login is sus for anything that could be sensitive, including a BDS campaign. It will share Google account info of whoever filled out that OAuth2 prompt with whatever service they are using. Might be a Google Form for their own account, might be some third party, who knows. Very bad practice.

[-] itappearsthat@hexbear.net 2 points 4 months ago* (last edited 4 months ago)

Hmm, good point. I will try logging in with an unused gmail address to see what happens. I have gmail logged in in the app though so they should be able to use that right?

[-] Barx@hexbear.net 2 points 4 months ago

Depends! App developers can screw up many things

[-] git@hexbear.net 7 points 4 months ago

The developer is a Palestinian, so I highly doubt it.

Here’s what’s actually happening:

If your OS lets you re-open the link in your regular signed in browser you’ll see that it reuses your session and then you can see the form. There’s nothing nefarious happening here.

[-] itappearsthat@hexbear.net 3 points 4 months ago

Good analysis, thank you!

[-] someone@hexbear.net 5 points 4 months ago

I don 't think it's a scam, but it's a great way for the developers to build a huge database of customer habits that they can sell to marketing companies.

this post was submitted on 06 Jul 2024
45 points (100.0% liked)

technology

23313 readers
151 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

founded 4 years ago
MODERATORS