EDIT: Not a scam, see git's comment below.

So I downloaded the No Thanks app, which claims to be a barcode scanner app to tell you whether a product is BDS-compliant. I heard about it after it made the rounds under the narrative of "zionists are mobbing this app with bad reviews saying it's a scam, download it and leave a positive review!"

However, after using it I suspect it might actually be a scam app. Here's why: if you scan a product it tells you whether it's on a boycott list or not. If it isn't on a boycott list, you have the option to press a button to tell them it should be. Then the possible scam kicks in: it pops open a browser window taking you to the gmail web login. Not OAuth, not opening the system mail app with a template mail, straight to the gmail web login screen where you are expected to input your username + password + 2FA. I got all the way to putting in my username + password before being prompted for 2FA and realizing what I was doing was fucking stupid. Changed my gmail password immediately afterward.

Does anybody have any info on whether this thing is legit? It seems like it would make a pretty obvious zionist astroturfing target. Also I scanned a container of tahini that literally said "Product of Israel" on the side and it said it was fine (which precipitated the above sequence of events).

  • git [he/him, comrade/them]
    ·
    4 months ago

    The developer is a Palestinian, so I highly doubt it.

    Here’s what’s actually happening:

    • You click the “submit for boycott” button
    • Your OS opens an in-app browser that attempts to open this Google Form which is what he’s using to collect new products for boycott: https://docs.google.com/forms/d/e/1FAIpQLSfHzDfF1SY7rRLtWuLvdfoVHl4UtK8v_iz5f39mKlKbZAsQpQ/viewform?pli=1
    • The form isn’t open to the public and thus requires a signed in account to interact with
    • Your in-app browser likely isn’t signed into Google already, so it prompts you to sign in so you can see the form

    If your OS lets you re-open the link in your regular signed in browser you’ll see that it reuses your session and then you can see the form. There’s nothing nefarious happening here.