Wednesday, March 11, 2026

Amazon Shopper Panel app for iOS: Broken FAQ Link and S3 Bucket 403 Error

 iOS 26.3.1

Amazon Shopper Panel app for iOS (version 5.1.6)

03/11/2026

Description: 

There is a "Program FAQs" link inside of the Amazon Shopper Panel app for iOS that leads to an access denied page. 

I first at thought that this error message was based on my location - however after running the same URL through a US proxy, I see that this is likely a dead link pointing to an incorrect location. 

Archived Link: https://archive.is/H8iHK

Steps to Reproduce:

1. Download and launch the Amazon Shopper Panel for iOS

2. From the "Join the panel and earn rewards" page, select "Continue"

3. Advance (Continue > Continue > Get Started) to Amazon sign-in page 

4. Select the "Amazon Shopper Panel Program Terms and Conditions" link 

5. Scroll down and select "Program FAQs"

Result: the "Program FAQs" link on the "Amazon Shopper Panel Program Terms and Conditions" page accessible via the iOS app lead to an "access denied" error message 

Expected: A "Program FAQs" link should never lead to an access denied error message 


Download and launch the Amazon Shopper Panel app for iOS...



Select the "Amazon Shopper Panel Program Terms and Conditions" link...


Select the "Program FAQs" link...

User is taken here: https://d3smi4el0k163n.cloudfront.net/3.3.0/legal/faq/en-US/v1/rewards/FAQRewards-en-US-dev.html

Probably should have been this (?):  https://panel.amazon.com/FAQPrivacy.html

I sent the following message into Amazon: 

Dear Amazon Support Team,

I am writing to report a broken resource link within the Amazon Shopper Panel iOS application that appears to point to an internal development or staging environment.

Issue Description: In the "More" or "Help" section of the app, the link for the program FAQ is currently pointing to a URL that returns an XML "Access Denied" error from an S3 bucket via CloudFront.

Technical Details:

  • Target URL: https://d3smi4el0k163n.cloudfront.net/3.3.0/legal/faq/en-US/v1/rewards/FAQRewards-en-US-dev.html

  • Observed Behavior: The server returns an HTTP 403 (Forbidden) with an S3 <Code>AccessDenied</Code> XML response.

  • Analysis: The presence of -dev.html in the filename suggests a hardcoded link to a development asset that is not permissioned for public access or has been removed. This occurs regardless of the requester's geographic location (verified via US-based proxies).

Impact: Users are unable to access the rewards FAQ from within the app, leading to a degraded user experience. While this does not appear to be a high-risk security leak, the raw XML response indicates a minor configuration drift between the production app and the storage bucket permissions.

I recommend updating the app to point to the production FAQ (e.g., https://panel.amazon.com/FAQPrivacy.html) and ensuring that CloudFront is configured to serve a standard 404 page rather than raw S3 XML for missing or private objects.

Best regards,

Robert Delaware






Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)