Lemon8 app - Twitter auth login page's Privacy Policy link opens app to user content

iOS 16.3.1

Lemon8 app for iOS (version 3.9.1)

Date: 03/29/2023

Description:

Here it is: without a doubt, the funniest bug you will ever see involving a Twitter Auth page accessed by an iOS app during account creation. 

In essence, a "privacy policy" link does not take a user to Lemon8's written privacy policy. Instead, the app is somehow redirecting from this link: 

https://www.lemon8-app.com/legal/privacy

To user content inside of the app located at this link:

https://www.lemon8-app.com/sxxte___cxxc/privacy?language=en&mid=7215984217704203269&open_url=c25zc2RrMjY1NzovL2FydGljbGVfZGV0YWlsX3BhZ2U%2FZ3JvdXBfaWQ9NzE3NTIwOTQwNTM3NjM2NTA2MiZhcHBfbGF1bmNoX2J5PVNoYXJlK1BhZ2UrTGluayZtZWRpYV9pZD03MTc0NDIxMDM0NzIwMDM1ODQ1JnBpZD1zaGFyZV9hbCZjYW1wYWluX2lkPWFydGljbGU%3D&region=us&ui_language=en

This literally made me laugh at loud. As someone who has assiduously looked at privacy policy links, I knew had to save this one for posterity. 

Take a look:

On an iPhone that has the Lemon8 app installed, open a mobile browser (to: https://api.twitter.com/oauth/authorize?force_login=false&oauth_token=ytWG6AAAAAABB_8DAAABhy4_QgY) and click on the "privacy policy" link

The app opens up to user content?

Here's a video of what it looks like:

Whacky! I don’t think I’ve ever seen a big this odd with a Twitter auth page link.

Easy way to reproduce:
1. w/Lemon8 app installed open https://t.co/y1FiADKWk0 using mobile browser

2. Select “Privacy Policy” link pic.twitter.com/I14MOdhUSX

— Robby Delaware (@RobbyDelaware) March 29, 2023

Two easy ways to get this to reproduce. The longer way first, the shorter way second:

Steps to Reproduce:

1. (on an iPhone with the Twitter iOS app installed) download and launch Lemon8

2. Enter in an age-appropriate birthday

3. Advance to the Create Account screen 

4. Select the “Continue with Twitter” option 

5. From the “Lemon8” wants to open Twitter” prompt, select “Open”

6. From the “Authorize Lemon8 to access your account?” in-app prompt, select “cancel”

7. User is returned to the Lemon8 app, where an api.twitter.com auto page appears 

8. From the api.twitter.com prompt, select the “Privacy Policy” link

9. Select “Done”

Result: Lemon8 app displays a video labeled “PRIVACY” instead of taking the user to Lemon8’s written privacy policy link after the “privacy policy” link is selected an an api.twitter.com auth login page

Expected: User should always, under all conditions, be taken to a written privacy policy after selecting a “privacy policy” link associated with Lemon8

Shorter Method to Reproduce:

1. Download the Lemon8 app onto an iPHone

2. On that iPhone, open a mobile browser and head to Lemon8’s twitter authorization page (https://api.twitter.com/oauth/authorize?force_login=false&oauth_token=ytWG6AAAAAABB_8DAAABhy4_QgY) 

3. From Lemon8’s twitter auth page, select the “privacy policy” link 

4. Note user is taken back into the Lemon8 app to a video labeled “Privacy”

Result: the “privacy policy” link on Lemon8’s twitter authorization page opens the Lemon8 to a video labeled “PRIVACY” instead of to the written privacy policy 

Expected: the “privacy policy” link on Lemon8’s twitter authorization page should always open to the written privacy policy

Rumble app for iOS: Error Message after accessing the Privacy Policy or Terms of Service link from the FB login

 iOS 16.3.1

Rumble app for iOS (version 2.8.1)

Date: 03/02/23

Description:

There is an unusual problem with the Rumble app for iOS. I have, in fact, never seen this problem happen with another iOS until now. 

Like most other apps, the Rumble app has a Facebook login option. If selected, and if the user has the Facebook iOS app on the device, the user will be taken to a Facebook authorization screen inside of the Facebook iOS app.

This authorization login screen has two links: a "Privacy Policy" link and a "Terms of Services" link. It looks like this:

Steps to Reproduce:

1. Download and launch the Rumble app 

2. From the Rumble Sign In screen, select the "Sign in with Facebook" option 

3. From the "Rumble-iOS Wants to Use" pop-up, select the "Continue" option 

4. From the "Open in Facebook option" select "Open"

5. From the "Rumble is requesting access to;" FB login screen, select either "Privacy Policy" or "Terms of Service"

6. Select the back (Left) arrow to return to the previous screen 

7. Note the "The page you requested was not found." error message

Result: Returning from either the "Privacy Policy" or "Terms of Service" results in an error message - user cannot login into the Rumble app

Expected: Users should be able to read Rumble's "Privacy Policy" and "Terms of Service" documents and then completed the Facebook login-authorization process 

Select the "Sign in with Facebook" option...

Select the "Continue" option from this prompt...

Select "Open" from this prompt...

Select these links...

Back out of the Privacy Policy...

Stuck on an error message. I have never, ever seen this with any other apps.