Lemon8 app - Twitter auth login page's Privacy Policy link opens app to user content

iOS 16.3.1

Lemon8 app for iOS (version 3.9.1)

Date: 03/29/2023

Description:

Here it is: without a doubt, the funniest bug you will ever see involving a Twitter Auth page accessed by an iOS app during account creation. 

In essence, a "privacy policy" link does not take a user to Lemon8's written privacy policy. Instead, the app is somehow redirecting from this link: 

https://www.lemon8-app.com/legal/privacy

To user content inside of the app located at this link:

https://www.lemon8-app.com/sxxte___cxxc/privacy?language=en&mid=7215984217704203269&open_url=c25zc2RrMjY1NzovL2FydGljbGVfZGV0YWlsX3BhZ2U%2FZ3JvdXBfaWQ9NzE3NTIwOTQwNTM3NjM2NTA2MiZhcHBfbGF1bmNoX2J5PVNoYXJlK1BhZ2UrTGluayZtZWRpYV9pZD03MTc0NDIxMDM0NzIwMDM1ODQ1JnBpZD1zaGFyZV9hbCZjYW1wYWluX2lkPWFydGljbGU%3D&region=us&ui_language=en

This literally made me laugh at loud. As someone who has assiduously looked at privacy policy links, I knew had to save this one for posterity. 

Take a look:

On an iPhone that has the Lemon8 app installed, open a mobile browser (to: https://api.twitter.com/oauth/authorize?force_login=false&oauth_token=ytWG6AAAAAABB_8DAAABhy4_QgY) and click on the "privacy policy" link

The app opens up to user content?

Here's a video of what it looks like:

Whacky! I don’t think I’ve ever seen a big this odd with a Twitter auth page link.

Easy way to reproduce:
1. w/Lemon8 app installed open https://t.co/y1FiADKWk0 using mobile browser

2. Select “Privacy Policy” link pic.twitter.com/I14MOdhUSX

— Robby Delaware (@RobbyDelaware) March 29, 2023

Two easy ways to get this to reproduce. The longer way first, the shorter way second:

Steps to Reproduce:

1. (on an iPhone with the Twitter iOS app installed) download and launch Lemon8

2. Enter in an age-appropriate birthday

3. Advance to the Create Account screen 

4. Select the “Continue with Twitter” option 

5. From the “Lemon8” wants to open Twitter” prompt, select “Open”

6. From the “Authorize Lemon8 to access your account?” in-app prompt, select “cancel”

7. User is returned to the Lemon8 app, where an api.twitter.com auto page appears 

8. From the api.twitter.com prompt, select the “Privacy Policy” link

9. Select “Done”

Result: Lemon8 app displays a video labeled “PRIVACY” instead of taking the user to Lemon8’s written privacy policy link after the “privacy policy” link is selected an an api.twitter.com auth login page

Expected: User should always, under all conditions, be taken to a written privacy policy after selecting a “privacy policy” link associated with Lemon8

Shorter Method to Reproduce:

1. Download the Lemon8 app onto an iPHone

2. On that iPhone, open a mobile browser and head to Lemon8’s twitter authorization page (https://api.twitter.com/oauth/authorize?force_login=false&oauth_token=ytWG6AAAAAABB_8DAAABhy4_QgY) 

3. From Lemon8’s twitter auth page, select the “privacy policy” link 

4. Note user is taken back into the Lemon8 app to a video labeled “Privacy”

Result: the “privacy policy” link on Lemon8’s twitter authorization page opens the Lemon8 to a video labeled “PRIVACY” instead of to the written privacy policy 

Expected: the “privacy policy” link on Lemon8’s twitter authorization page should always open to the written privacy policy