
Apple Is Blocking Linux User-Agent on appleid.apple.com - alrs
https://fosstodon.org/@alexbuzzbee/101633318704187857
======
Canada
The other day my friend lost his iPhone. He tried to use my Android to find
it, but Apple's site just says it's unsupported. Really thoughtful of Apple to
make that feature unavailable right when users need it the most.

~~~
invaliduser
Let's put an emphasis on the fact that this cannot be a technical limitation,
as everyone else in the world manages to build websites that work on most
devices, including android.

The appleid is a security nightmare anyway. I used to use an account,
associated to an email I own, with a password I know, and still I can not log
in, because it keeps asking the insecure "personal questions" that I never
answer, because [generic privacy statement] and because I use a
cryptagraphically secure password manager. As I did not save the personal
questions I answered when signing up (tbh I probably just put garbage, as
those are usually never asked when you know the password), and now I just
cannot access it.

That's right, I own the email address and I know the password, and yet I
cannot access my account. However, knowing who was my best friend when I was a
teenager, or what was the name of my first pet are questions, in spite of
being known by dozens of friends or acquaintances, that Apple requests as
security measures needed to trust me as the owner of the acount. Having them
on the phone provides zero help, 1 year later, I still cannot access it. It's
definitively lost, and I feel happy I do not have any important information
stored on the apple cloud.

~~~
groestl
Minor side note: do not put garbage into the answer boxes, use a completely
random but plausible answer. One attack vector that is enabled by using random
strings as response to "security" questions is telephone support: "I
definitely did not answer that question, I just put garbage in!" Sadly,
sometimes that works.

~~~
KeepFlying
Very much this. I have made a point to give somewhat legitimate answers to
these questions out of fear that a phone agent would ask them someday and that
I could fall victim to exactly what you describe.

Phone agents don't always have to actually enter the security questions to
access your account. sometimes they can simply see the answers on their screen
and are able to make a judgement call. Don't trust humans, especially not
humans who are incentivized to help you as quickly as possible.

Also its easier to say a word over the phone than it is to say a random string
of letters numbers and symbols.

------
Someone1234
In case anyone, like me, doesn't know what appleid.apple.com is: It is Apple's
single-sign-on portal for Apple IDs. Meaning if it errors out you cannot get
an authentication token and use any Apple property (e.g. Apple Store, iCloud,
developer portal, etc).

~~~
isostatic
I just logged into [https://www.icloud.com/](https://www.icloud.com/) on my
firefox/linux desktop -- had a popup on my iphone for the security number, but
I'm logged in, can access find-my-iphone, etc.

~~~
crtasm
Can you get the security number another way if you have lost the phone?

~~~
isostatic
I have enough options set up in my iCloud account to cope with most failures

------
Severian
Apple ID is garbage, and I've been unable to reset my security questions due
to Apple "not having sufficient information". Even calling Apple and having
the agent try to reset the questions using a PIN did not work.

They escalated the ticket to some user department, where it promptly went
nowhere. This was in October. When first dealing with this, I spent an hour on
the phone with Apple. Clicking on my support ticket URL gives me the option to
call them, but no way to email them back to inquire. It's a giant waste of
time since Tier 1 agents go by script and cannot deviate without contacting a
supervisor (whom I spoke to before).

So I guess I'm locked out of the system forever using my email address.

~~~
wila
If you can login to your device then you should be able to reset by enabling
2FA in iCloud. See my reply above.

~~~
fishywang
Apple ID 2FA uses one of your already logged in Apple hardware. For people
using iPhone and didn't lose it that's fine. But for people don't carry an
Apple hardware anywhere (for example I have an iMac at home), that's a lot of
trouble.

~~~
wila
That description is the issue I had, I do not have an iPhone.

------
jniedrauer
Well this explains it. I was getting an HTTP 502 on appleid.apple.com while
trying to add Apple Pay support to a product I am working on. I called apple
support to tell them the site was down. The support agent told me, and I
quote, "Our internet is Safari. We don't support Firefox."

I guess Apple doesn't want developers to support their products.

------
ctime
Never attribute to malice that which is adequately explained by stupidity.
Apple isn't exactly known for their ability to provide reliable internet
services.

This is IMHO a badly misconfigured WAF or possibly application config bug and
not some kind of grand conspiracy to exclude certain Linux users.

~~~
ld00d
Right. Time and attention costs money, and why would Apple spend that time and
attention on being jerks to 2.14% of the desktop market?

------
czr
Not sure why people are claiming this as malicious. If Apple thought making
life inconvenient for linux users was a good idea, this is about the least
effective possible way to do that. And it's unclear why Apple would want to do
that in the first place.

Seems far more likely that Apple was facing some sort of automated attacks on
this particular subdomain (with linux UAs), and a beleaguered admin used this
as a quick fix.

Or, even more probably, it's a misconfiguration.

~~~
addicted
Remember when the only way to watch an Apple event live on their site was if
you were using an Apple device?

It’s likely not malicious in the sense that they want to punish Linux users.
And blocking Linux for this particular site may not have been something they
even wanted to do. But in general Apple has been unnecessarily hostile towards
non Apple devices, and it’s not hard to believe this is a consequence of that.

------
rblatz
Likely the WAF (web application firewall) responding to malicious use that
happened to use that user agent.

~~~
MichaelApproved
I doubt that could that be it. Blocking by user agent would be a terrible
idea. Way too broad a net and could easily be abuse to shut down major
browsers. Also easily bypassed by changing the agent name.

Does anyone have first hand experience with a WAF that did that?

~~~
ahje
It's quite common for extremely dumb bots to fake impossible UA's for various
brute-force attack. Usually, something in the line of Microsoft Edge for PPC
Linux or something equally silly. In such cases it's easy to get a WAF to
block the impossible combinations. The bots are usually simple enough that
such simple measures block a large amount of the botnet traffic.

In our case, we block the impossible combos and rate-limit the ones commonly
used by botnets.

Blocking based on whether the UA has "Linux" in it is just dumb, though.

------
windexh8er
This has been going on for a while:

[https://mobile.twitter.com/xdaroj/status/1090319095134867459](https://mobile.twitter.com/xdaroj/status/1090319095134867459)

~~~
floatingatoll
This has been going on for a while for a SaaS called “Browserling” that
appears, from the thread, to emulate or host a browser of some sort in the
cloud somehow.

Does this issue affect normal Linux desktop-hosted locally-operated “the
standard way” browsers?

~~~
qalmakka
It doesn't work on Firefox 65.0.1 on Arch Linux, but it works perfectly with
exactly the same browser version on FreeBSD. I guess they are filtering
everything that specifically says "Linux"

~~~
floatingatoll
Excellent, thank you for that.

------
oarsinsync
Per the actual thread, they're not blocking "Linux", they're blocking "X11;
Linux" (case-insensitive).

Remove any character from that string and it succeeds.

dang: are you able to update the title to reflect that it's not just 'linux'
being blocked?

~~~
zovin
If that was true, then "Invoke-WebRequest -Uri
[https://appleid.apple.com](https://appleid.apple.com) -UserAgent '(Linux)'"
would return a 200 status, but it returns a 502 Bad Gateway

~~~
bordplate
You're right, that's blocked. User-agent "(Linux)" is blocked, however User-
agent "Linux" is not, while "X11; Linux" is blocked.

------
kirion25
More information on reddit:

[https://www.reddit.com/r/linux/comments/atc0av/apples_apple_...](https://www.reddit.com/r/linux/comments/atc0av/apples_apple_id_management_site_blocks_linux/)

------
ear7h
When the whole battery debacle was happening, I could only reach the battery
replacement page on Safari. On Chrome and Firefox, the pages would give and
error (I wanna say the same gateway errror)

------
jrockway
It is probably time for browsers to stop sending a user agent string.

~~~
jandrese
That would just start an arms race where they would profile the browser to
figure out what type it is.

Better to just leave it as a string you can spoof and let them pretend that it
is good enough.

~~~
jrockway
If intentional yes, but this is probably an accident. You can't accidentally
take action on data you don't have.

------
npmaile
Just yesterday I came across this issue trying to set up my podcast with
iTunes. I probably would have gone crazy if I hadn’t seen this post.

~~~
majewsky
When I wanted to submit my podcast to the iTunes directory, I had to install
iTunes in Wine because iTunes for Windows is the only way to create an Apple
ID that does not involve giving Apple a boatload of money.

And of course, iTunes in Wine did not allow me to paste passwords, so I had to
type in the autogenerated password. And the autogenerated answers for the
"security" questions. Fun.

------
dstola
Apple has a wall'ed-in garden

Google has a wall'ed-in garden

Facebook is trying to make a wall'ed-in garden

Does anyone else ever want to take out a flamethrower and just start from
scratch...

Its so tiring

~~~
askvictor
*Facebook is a walled garden

------
Jyaif
Apple is also sniffing UA (and doing some crazy heuristics with it) when
delivering webpages to its apsptore. I think it's because they want to try to
serve you a different webpage that opens up the appstore _application_ when
you are clicking on a link, but it just doesn't work reliably. It's a pain for
me, my users, and an other instance of Apple just failing at the web.

------
svnpenn
user agent blocking is the most pointless kind - as you can set your string to
whatever you want

    
    
       Services.prefs.setCharPref('general.useragent.override', 'apple spoof');

~~~
vkhn
Exactly. Of all the groups that might know how to spoof UA, the linux
community is the most likely.

Clearly they didn't think this through.

~~~
Wowfunhappy
> Clearly they didn't think this through.

You're assuming this was a malicious move on Apple's part, as opposed to
negligence or apathy.

------
RileyJames
Wow, yes I ran into this issue the other day. Had to use my phone to access. I
assumed it was the network and moved on.

Can’t believe it was due to running Ubuntu. WTF!

------
solarkraft
I sent them a support tweet and think you all should too.

------
gargravarr
This doesn't surprise me at all. business.apple.com refuses me on Firefox.
Tweak the UA to be Chrome and it works 100%.

------
mirages
I spoofed my UA to "Linux", got page loading normally and my login worked

~~~
aembleton
Try "X11; Linux"

------
cedivad
That doesn't necessarily mean they are willingly blocking linux, I've seen
inconspicuous user agent strings triggering 502 errors before. It's just badly
written code.

~~~
tyingq
It's curious though, that the thread narrows it down to "X11; Linux", with
that specific casing (update: nope, not case sensitive). Changing or removing
any single char in that string stops the error.

~~~
cedivad
They most likely had a reason to threat those people differently and a bug
came up under that special case ;) Watch them fix it.

~~~
gpvos
I agree with the first sentence, but would advise against holding your breath
until they have fixed it.

s/threat/treat/, though.

------
ballenf
Set my user agent to ' ' (single space character) in latest Safari on a new
Mac. Get a 403 Forbidden.

------
vinniejames
Same thing for itunes billing, when clicking the link in your invoice email

------
austinshea
Maybe they were getting attacked, and blocked a particular user agent.

I’ve had to do that before.

