EDIT: Not a scam, see git’s comment below.
So I downloaded the No Thanks app, which claims to be a barcode scanner app to tell you whether a product is BDS-compliant. I heard about it after it made the rounds under the narrative of “zionists are mobbing this app with bad reviews saying it’s a scam, download it and leave a positive review!”
However, after using it I suspect it might actually be a scam app. Here’s why: if you scan a product it tells you whether it’s on a boycott list or not. If it isn’t on a boycott list, you have the option to press a button to tell them it should be. Then the possible scam kicks in: it pops open a browser window taking you to the gmail web login. Not OAuth, not opening the system mail app with a template mail, straight to the gmail web login screen where you are expected to input your username + password + 2FA. I got all the way to putting in my username + password before being prompted for 2FA and realizing what I was doing was fucking stupid. Changed my gmail password immediately afterward.
Does anybody have any info on whether this thing is legit? It seems like it would make a pretty obvious zionist astroturfing target. Also I scanned a container of tahini that literally said “Product of Israel” on the side and it said it was fine (which precipitated the above sequence of events).
How did you distinguish it from OAuth2? The browser it pops up in may not be one into which you’re already logged in, in which case you saw what I would expect to see. Google’s (dangerous) OAuth2 UX will first prompt you to login with a generic login page and only then ask if you want to share info with the third party.
However, requiring a Google login is sus for anything that could be sensitive, including a BDS campaign. It will share Google account info of whoever filled out that OAuth2 prompt with whatever service they are using. Might be a Google Form for their own account, might be some third party, who knows. Very bad practice.
Hmm, good point. I will try logging in with an unused gmail address to see what happens. I have gmail logged in in the app though so they should be able to use that right?
Depends! App developers can screw up many things
deleted by creator
The developer is a Palestinian, so I highly doubt it.
Here’s what’s actually happening:
- You click the “submit for boycott” button
- Your OS opens an in-app browser that attempts to open this Google Form which is what he’s using to collect new products for boycott: https://docs.google.com/forms/d/e/1FAIpQLSfHzDfF1SY7rRLtWuLvdfoVHl4UtK8v_iz5f39mKlKbZAsQpQ/viewform?pli=1
- The form isn’t open to the public and thus requires a signed in account to interact with
- Your in-app browser likely isn’t signed into Google already, so it prompts you to sign in so you can see the form
If your OS lets you re-open the link in your regular signed in browser you’ll see that it reuses your session and then you can see the form. There’s nothing nefarious happening here.
Good analysis, thank you!
I don 't think it’s a scam, but it’s a great way for the developers to build a huge database of customer habits that they can sell to marketing companies.