EDIT: Not a scam, see git’s comment below.

So I downloaded the No Thanks app, which claims to be a barcode scanner app to tell you whether a product is BDS-compliant. I heard about it after it made the rounds under the narrative of “zionists are mobbing this app with bad reviews saying it’s a scam, download it and leave a positive review!”

However, after using it I suspect it might actually be a scam app. Here’s why: if you scan a product it tells you whether it’s on a boycott list or not. If it isn’t on a boycott list, you have the option to press a button to tell them it should be. Then the possible scam kicks in: it pops open a browser window taking you to the gmail web login. Not OAuth, not opening the system mail app with a template mail, straight to the gmail web login screen where you are expected to input your username + password + 2FA. I got all the way to putting in my username + password before being prompted for 2FA and realizing what I was doing was fucking stupid. Changed my gmail password immediately afterward.

Does anybody have any info on whether this thing is legit? It seems like it would make a pretty obvious zionist astroturfing target. Also I scanned a container of tahini that literally said “Product of Israel” on the side and it said it was fine (which precipitated the above sequence of events).

  • Barx [none/use name]@hexbear.net
    link
    fedilink
    English
    arrow-up
    14
    ·
    4 months ago

    How did you distinguish it from OAuth2? The browser it pops up in may not be one into which you’re already logged in, in which case you saw what I would expect to see. Google’s (dangerous) OAuth2 UX will first prompt you to login with a generic login page and only then ask if you want to share info with the third party.

    However, requiring a Google login is sus for anything that could be sensitive, including a BDS campaign. It will share Google account info of whoever filled out that OAuth2 prompt with whatever service they are using. Might be a Google Form for their own account, might be some third party, who knows. Very bad practice.