Is the No Thanks BDS app actually a scam though? [EDIT: NOT A SCAM] (hexbear.net)

submitted 3 months ago* (last edited 3 months ago) by itappearsthat@hexbear.net to c/technology@hexbear.net

6 comments fedilink hide all child comments

EDIT: Not a scam, see git's comment below.

So I downloaded the No Thanks app, which claims to be a barcode scanner app to tell you whether a product is BDS-compliant. I heard about it after it made the rounds under the narrative of "zionists are mobbing this app with bad reviews saying it's a scam, download it and leave a positive review!"

However, after using it I suspect it might actually be a scam app. Here's why: if you scan a product it tells you whether it's on a boycott list or not. If it isn't on a boycott list, you have the option to press a button to tell them it should be. Then the possible scam kicks in: it pops open a browser window taking you to the gmail web login. Not OAuth, not opening the system mail app with a template mail, straight to the gmail web login screen where you are expected to input your username + password + 2FA. I got all the way to putting in my username + password before being prompted for 2FA and realizing what I was doing was fucking stupid. Changed my gmail password immediately afterward.

Does anybody have any info on whether this thing is legit? It seems like it would make a pretty obvious zionist astroturfing target. Also I scanned a container of tahini that literally said "Product of Israel" on the side and it said it was fine (which precipitated the above sequence of events).

all 7 comments

sorted by: hot top controversial new old

[-] Barx@hexbear.net 15 points 3 months ago

How did you distinguish it from OAuth2? The browser it pops up in may not be one into which you're already logged in, in which case you saw what I would expect to see. Google's (dangerous) OAuth2 UX will first prompt you to login with a generic login page and only then ask if you want to share info with the third party.

However, requiring a Google login is sus for anything that could be sensitive, including a BDS campaign. It will share Google account info of whoever filled out that OAuth2 prompt with whatever service they are using. Might be a Google Form for their own account, might be some third party, who knows. Very bad practice.

[-] itappearsthat@hexbear.net 2 points 3 months ago* (last edited 3 months ago)

Hmm, good point. I will try logging in with an unused gmail address to see what happens. I have gmail logged in in the app though so they should be able to use that right?

[-] Barx@hexbear.net 2 points 3 months ago

Depends! App developers can screw up many things

[-] git@hexbear.net 7 points 3 months ago

The developer is a Palestinian, so I highly doubt it.

Here’s what’s actually happening:

You click the “submit for boycott” button
Your OS opens an in-app browser that attempts to open this Google Form which is what he’s using to collect new products for boycott: https://docs.google.com/forms/d/e/1FAIpQLSfHzDfF1SY7rRLtWuLvdfoVHl4UtK8v_iz5f39mKlKbZAsQpQ/viewform?pli=1
The form isn’t open to the public and thus requires a signed in account to interact with
Your in-app browser likely isn’t signed into Google already, so it prompts you to sign in so you can see the form

If your OS lets you re-open the link in your regular signed in browser you’ll see that it reuses your session and then you can see the form. There’s nothing nefarious happening here.

[-] itappearsthat@hexbear.net 3 points 3 months ago

Good analysis, thank you!

[-] someone@hexbear.net 5 points 3 months ago

I don 't think it's a scam, but it's a great way for the developers to build a huge database of customer habits that they can sell to marketing companies.

this post was submitted on 06 Jul 2024

45 points (100.0% liked)

technology

23213 readers

576 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

founded 4 years ago

MODERATORS

Jadzia_Dax@hexbear.net

blashork@hexbear.net

context@hexbear.net

EmmaGoldman@hexbear.net

SexUnderSocialism@hexbear.net

gaycomputeruser@hexbear.net

ZoomeristLeninist@hexbear.net