Wednesday, March 11, 2026

Amazon Shopper Panel app for iOS: Broken FAQ Link and S3 Bucket 403 Error

 iOS 26.3.1

Amazon Shopper Panel app for iOS (version 5.1.6)

03/11/2026

Description: 

There is a "Program FAQs" link inside of the Amazon Shopper Panel app for iOS that leads to an access denied page. 

I first at thought that this error message was based on my location - however after running the same URL through a US proxy, I see that this is likely a dead link pointing to an incorrect location. 

Archived Link: https://archive.is/H8iHK

Steps to Reproduce:

1. Download and launch the Amazon Shopper Panel for iOS

2. From the "Join the panel and earn rewards" page, select "Continue"

3. Advance (Continue > Continue > Get Started) to Amazon sign-in page 

4. Select the "Amazon Shopper Panel Program Terms and Conditions" link 

5. Scroll down and select "Program FAQs"

Result: the "Program FAQs" link on the "Amazon Shopper Panel Program Terms and Conditions" page accessible via the iOS app lead to an "access denied" error message 

Expected: A "Program FAQs" link should never lead to an access denied error message 


Download and launch the Amazon Shopper Panel app for iOS...



Select the "Amazon Shopper Panel Program Terms and Conditions" link...


Select the "Program FAQs" link...

User is taken here: https://d3smi4el0k163n.cloudfront.net/3.3.0/legal/faq/en-US/v1/rewards/FAQRewards-en-US-dev.html

Probably should have been this (?):  https://panel.amazon.com/FAQPrivacy.html

I sent the following message into Amazon: 

Dear Amazon Support Team,

I am writing to report a broken resource link within the Amazon Shopper Panel iOS application that appears to point to an internal development or staging environment.

Issue Description: In the "More" or "Help" section of the app, the link for the program FAQ is currently pointing to a URL that returns an XML "Access Denied" error from an S3 bucket via CloudFront.

Technical Details:

  • Target URL: https://d3smi4el0k163n.cloudfront.net/3.3.0/legal/faq/en-US/v1/rewards/FAQRewards-en-US-dev.html

  • Observed Behavior: The server returns an HTTP 403 (Forbidden) with an S3 <Code>AccessDenied</Code> XML response.

  • Analysis: The presence of -dev.html in the filename suggests a hardcoded link to a development asset that is not permissioned for public access or has been removed. This occurs regardless of the requester's geographic location (verified via US-based proxies).

Impact: Users are unable to access the rewards FAQ from within the app, leading to a degraded user experience. While this does not appear to be a high-risk security leak, the raw XML response indicates a minor configuration drift between the production app and the storage bucket permissions.

I recommend updating the app to point to the production FAQ (e.g., https://panel.amazon.com/FAQPrivacy.html) and ensuring that CloudFront is configured to serve a standard 404 page rather than raw S3 XML for missing or private objects.

Best regards,

Robert Delaware






Posted by at No comments:
Labels: , ,

Thursday, January 29, 2026

Lacoste USA: Polos & Sneakers app for iOS: Inoperable "CONSENT MANAGEMENT" option in MY SETTINGS

 iOS 26.2.1

Lacoste USA: Polos & Sneakers app for iOS (version 1.8.0)

01/29/2026

Description: 

There is a "CONSENT MANAGEMENT" option that is accessible for the user in the "MY SETTINGS" option of the Lacoste USA: Polos & Sneakers app for iOS. This option appears if the user is in guest mode or if the user creates an account. 

For me, at least, pressing this link does not take the user to a consent management page on the Lacoste website. 

Please note: while I downloaded the the Lacoste app for the U.S. Apple App store, I am not in the United States as I attempt to access the link. 

Steps to Reproduce:

1. Download and launch the Lacoste USA: Polos & Sneakers app for iOS 

2. Select the "ACCOUNT" option in the bottom right hand corner of the screen 

3. Select "MY SETTINGS"

4. From the "MY SETTINGS" screen select "CONSENT MANAGEMENT"

Result: There is a non-working "CONSENT MANAGEMENT" link on the "MY SETTINGS" page of the Lacoste iOS app 

Expected: Every link should work. A "CONSENT MANAGEMENT" link on the "MY SETTINGS" page of the Lacoste iOS app should take the user to a valid consent management page - if this option is not supposed to be accessible for users in different locations, it should disappear 



Download and launch the Lacoste USA: Polos & Sneakers app for iOS...

Launch the app and select "ACCOUNT"...

Select "MY SETTINGS"...

The "CONSENT MANAGEMENT" option does nothing - does not open link, does not lead to Lacoste website - bad end user experience. 







Posted by at No comments:
Labels: , ,

Monday, January 19, 2026

EF Go Ahead Tours app for iOS: the "Developer's Privacy Policy" and "Privacy Policy" links on the Apple App Store detail page lead to a 404 error page

 iOS

EF Go Ahead Tours app for iOS (version 2026.1.9)

01/19/2026

Description:

The privacy links on the detail page for an app called EF Go Ahead Tour app for iOS lead to a 404 error message. Linking to a valid, and readable, privacy policy is mandated by Apple policies

Archived Link: https://archive.is/klKww




Steps to Reproduce:

1. Head to the detail page in the Apple App Store for the EF Go Ahead Tour app

2. Scroll down and select either "Developer's Privacy Policy" or "Privacy Policy" links

3. Note that both link to a 404 page and not a valid (readable) privacy policy 

Result: the "Developer's Privacy Policy" and "Privacy Policy" links on the detail page for an app called EF Go Ahead Tours lead to a 404 page and not a valid privacy policy 

Expected: the "Developer's Privacy Policy" and "Privacy Policy" links on the detail page for the EF Go Ahead Tours app should lead to a valid (readable) privacy policy 


Head to the detail page for the EF Go Ahead Tours app in the Apple App store...


Scroll down and select the "Privacy Policy" link...


User is taken to a 404 error message. 








Posted by at No comments:
Labels: , , ,

Sunday, January 18, 2026

seats.aero app for iOS: Deep Link formatting issue with links created using iOS share sheet

 iOS 18.6.2

seats.aero app for iOS (version 2026.1.2)

01/18/2026

Description:

Share URLs generated by the seats.aero app are not clickable hyperlinks. If the recipient of the link doesn't have the app installed on their device, the link doesn't work - it's dead.

Here's how a link looked in an email message I received:


The link appears as such: seatsaero://trip/2sNenq39yxh3m4YyZyb6jAkVGjO?id=2sNenq39yxh3m4YyZyb6jAkVGjO&remainingSeats=%7B%22y%22%3A9%2C%22w%22%3A0%2C%22j%22%3A3%2C%22f%22%3A2%7D&availableFareClasses=y%2Cj%2Cf

 

Why this is a problem for users:

  • Lack of Linkification: Most major mobile email clients (Gmail, Outlook) do not recognize the seatsaero:// protocol as a clickable hyperlink. It appears as plain text, forcing the recipient to copy-paste it (which often doesn't work in mobile browsers).

  • No Graceful Degradation: If the recipient doesn't have the app installed or is viewing the email on a desktop, the link is effectively "dead."

  • Payload Complexity: The URL-encoded JSON in the query parameters makes the string quite long, increasing the risk of the link being "truncated" by certain email filters.

Suggested Fix: Transitioning these share-actions to Apple Universal Links (using an https://seats.aero/ prefix supported by an apple-app-site-association file) would allow the links to open the app if installed, or a web preview if not.

Steps to Reproduce:

1. Download and launch the seats.aero app for iOS

2. From the "Home" screen, select any city (example: "London")

3. Select any available flight 

4. Select the share option 

5. Share the generated link using the iOS share sheet (in a Messenger message, email, etc.)

Result: There is a deep Link formatting issue with links created by the seats.aero app for iOS - the links appear dead to users on other devices that don't have the app installed 

Expected: Users should never be presented with a dead link to seats.aero content 



Download and launch the seats.aero app from the Apple App Store...





Choose any location - such as Frankfurt...




Select a flight (in this instance, the flight at the top of the list)...


Select the share option...


Select something such as the email share option from the iOS share sheet...


This link won't work for most who receive it. 





Posted by at No comments:
Labels: , ,

Tuesday, December 23, 2025

Five Guys Burgers & Fries app for iOS: Deep Link Failure: Broken Universal Link for Apple Music Playlist inside the App

 iOS 18.6.2

12/24/2025

Five Guys Burgers & Fries app for iOS (version 5.17.2)

Description: 

There is a problems with the Apple Music icon/link that is displayed inside of the Five Guys iOS app.

Inside of the app there is an Apple Music icon/link. Clicking on this link exits the user out of the app and takes the user to Apple Music (which is expected). 

The user is not taken, however, to a working Apple Music playlist. The user is stranded on a page in Apple Music that looks like this:


User is left stranded here in Apple Music. This is a blank Apple Music playlist located at: https://music.apple.com/us/curator/five-guys/1542822234


I managed to copy the link from the Five Guys Android app (why am Android app would link to an Apple Music playlist is another issue):

https://music.apple.com/us/curator/five-guys/1542822234

Archived: https://archive.is/Q22sz


Steps to Reproduce:

1. Download the Five Guys Burgers & Fries app for iOS (version 5.17.2)

2. Enter into the app in Guest Mode

3. Select the slider (3 horizontal line) option in the upper left hand corner of the screen 

4. From the "WELCOME!" page select the Apple Music icon 

Result: select the Apple Music icon inside of the Five Guys Burgers & Fries iOS app does not take the user to a working Apple Music playlist. 

Expected: if there is an Apple Music icon displayed inside of the Five Guys Burgers & Fries iOS app, then it should link to a working page/playlist inside of Apple Music 


Select the option in the upper left hand corner of the screen...



Select the Apple Music icon as indicated in this screenshot.

Please Note: Interestingly enough, the Five Guys website has an icon that leads to a working Spotify playlist. 





Posted by at No comments:
Labels: , , , , , ,

Sunday, December 21, 2025

Wild Fork app for iOS: the "Developer's Privacy Policy" and "Privacy Policy" links on the App Store detail page lead to a 404 error page

 iOS 18.6.2

Wild Fork app for iOS (version 4.0.50 (680))

12/21/2025

Description:

The "Developer's Privacy Policy" and "Privacy Policy" links on the detail page for an app called "Wild Fork" lead to a 404 page. 

Instead of leading to a valid and readable privacy policy (as is mandated by Apple) these links are leading to this 404 page: https://wildforkfoods.com/404-not-found/

Archived here: https://archive.is/7hTo2

This is what the end user will see instead of a valid privacy policy. 


Steps to Reproduce:

1. Head to the detail page in the Apple App Store for an app called Wild Fork

2. Scroll down and select either "Privacy Policy" or "Developer's Privacy Policy"

Result: The "Privacy Policy" and "Developer's Privacy Policy" links on the Apple App Store detail page for an app called "Wild Fork" lead to a 404 error page instead of a readable, valid, privacy policy 

Expected: The "Privacy Policy" and "Developer's Privacy Policy" links on the Apple App Store detail page for the "Wild Fork" app should always lead to valid and readable privacy policies 


This is a screenshot of Wild Fork's detail page in the Apple App Store (December 2025)...

Here's the "developer's privacy policy" link...

Here's the page the user is taken to. 








Posted by at No comments:
Labels: , , , ,

Wednesday, December 17, 2025

Qwant Private Search app for iOS: the "Developer's Privacy Policy" and "Privacy Policy" links in App Store detail page lead to a "Oops 404 lunar page"

 iOS 18.6.2

Qwant Private Search app for iOS (version 6.9.0)

12/17/2025

Description:

On the Apple App Store detail page for the Qwant Private Search app, the "Developer's Privacy Policy" and "Privacy Policy" links lead to a 404 page. 


Currently, the "Privacy Policy" and "Developer's Privacy Policy" links lead to a 404 page. This is the URL: https://www.qwant.com/privacy

Regulations regarding consumer access to valid privacy policies are mandated by Apple


Steps to Reproduce:

1. Head to the Qwant Private Search detail page in the Apple App Store 

2. Select either  the "Developer's Privacy Policy" or "Privacy Policy" links 

3. Note that the user is taken to a 404 page

Result: the "Developer's Privacy Policy" and "Privacy Policy" links associated with the Apple Apple Store detail page for the Qwant Privacy Search app lead to 404 pages

Expected: the "Developer's Privacy Policy" and "Privacy Policy" links for the Qwant Privacy Search app should link to a readable privacy policy  


Head to the the Qwant Private Search detail page in the app store...


Click on the "Developer's Privacy Policy" link...


User ends up on a 404 page at: https://www.qwant.com/privacy










Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)