Hacker News new | past | comments | ask | show | jobs | submit login
Apple Is Blocking Linux User-Agent on appleid.apple.com (fosstodon.org)
335 points by alrs on Feb 22, 2019 | hide | past | favorite | 140 comments

The other day my friend lost his iPhone. He tried to use my Android to find it, but Apple's site just says it's unsupported. Really thoughtful of Apple to make that feature unavailable right when users need it the most.

Let's put an emphasis on the fact that this cannot be a technical limitation, as everyone else in the world manages to build websites that work on most devices, including android.

The appleid is a security nightmare anyway. I used to use an account, associated to an email I own, with a password I know, and still I can not log in, because it keeps asking the insecure "personal questions" that I never answer, because [generic privacy statement] and because I use a cryptagraphically secure password manager. As I did not save the personal questions I answered when signing up (tbh I probably just put garbage, as those are usually never asked when you know the password), and now I just cannot access it.

That's right, I own the email address and I know the password, and yet I cannot access my account. However, knowing who was my best friend when I was a teenager, or what was the name of my first pet are questions, in spite of being known by dozens of friends or acquaintances, that Apple requests as security measures needed to trust me as the owner of the acount. Having them on the phone provides zero help, 1 year later, I still cannot access it. It's definitively lost, and I feel happy I do not have any important information stored on the apple cloud.

Minor side note: do not put garbage into the answer boxes, use a completely random but plausible answer. One attack vector that is enabled by using random strings as response to "security" questions is telephone support: "I definitely did not answer that question, I just put garbage in!" Sadly, sometimes that works.

Very much this. I have made a point to give somewhat legitimate answers to these questions out of fear that a phone agent would ask them someday and that I could fall victim to exactly what you describe.

Phone agents don't always have to actually enter the security questions to access your account. sometimes they can simply see the answers on their screen and are able to make a judgement call. Don't trust humans, especially not humans who are incentivized to help you as quickly as possible.

Also its easier to say a word over the phone than it is to say a random string of letters numbers and symbols.

Just use a password generator to generate a space-separated phrase.

Had the same thing, actually knew the security question answers as I had logged them. But according to the fine website they were wrong. Called apple. First time they told me "too bad" (took me about an hour to get that answer)

Called them again and another apple employee pointed out that as long as you can login, you can enable 2FA via iCloud (something I'm not using either). Once 2FA is enabled the security questions can be bypassed. Not sure if that required them to change a setting, but from then on you _should_ be able to change anything else, including the security questions or assign another email address or add an extra one or..

Thanks for the tip!

After reading this, I tried it and it didn't work. Even jumped on a call with support and they told me there is no way to turn on 2FA without the security questions (at least for my account, maybe other accounts can).

The shitty thing is you also delete your account or create a new one with the same email without knowing the security questions.

Oh well :/

Still, thanks for the hope (short-lived as it was).

Strange as I can assure you that this is how I recovered the account. This was on macOS Sierra which might be part of it then System Preferences -> iCloud

The first apple support person I talked to did not know how-to recover the account this way. So it does not seem to be in the scripts.

Just a general warning, if you leave two factor on for a set number of days (I can't recall the exact amount), it is impossible to turn off again.

Apple's backend systems are a shit show. They work in a specific set of requirements but outside of their specific situations or via tech support are effectively useless.

It's inexcusable how bad the iCloud system is, especially regarding authentication, however, I will note that if you enable 2FA you don't get an any of that security question nonsense anymore. (Yes, I know that you can't enable 2FA, but perhaps it is useful to someone else reading this).

Damn, it seems I really dodged a bullet here. I was recently asked for security questions logging into a company account (iOS management account). Whoever created the account only jotted down the answers to two of the questions. It asked for precisely these two, and I was able to change the other without answering the third..

I've given up and just started giving the same answer for all security questions.

I'm sure your password manager can save Security Questions? In mine I can add as many field as I want, so for every login that require security questions I answer them with 50 characters gibberish, and save them for later use.

Then when someone calls and they ask for the security question, the attacker just says it’s jibberish and they let them through. Choose 4 random words, not 50 random characters

If you saw my comment below, this is exactly the same issue I have. It's stupid, and I don't think I ever added security questions to begin with when I signed up to iTunes over 10 years ago.

I have the same issue with my TD Ameritrade account. I have the correct email and password, but then it asks for a security question that I have no idea about. I can’t get in.


Well he didn't.

if you're talking about the iCloud website, switch to "Desktop Mode" on your phone and it will work for the "Find my iPhone" application on there.

source: lost my phone and went full panic mode when it said "unsupported" and fiddled around with it for 30 minutes on an android phone

Oh boy, scrolling through that page in mobile is a nightmare.

Exactly, not sure why the parent commenter couldn't do this.

It’s kind of insane that they do that considering the majority of phones are androids. It means many people are almost certainly going to need your laptop which really limits how it can be used.

> considering the majority of phones are androids.

This is one of the ways they are trying to change that.

It doesn't make sense that making it harder to use a feature of an iPhone would make more people want to use an iPhone. It seems unlikely that someone sees someone struggle to find their lost iPhone via an Android device and think "This makes me want an iPhone more"

"I'm glad I have an iphone, this android is rubbish"

I doubt it. Apple don't care about having a high percent of the market. They're happy so long as they have the high end in their pocket. That's where the big margins are.

They're happy to leave the high volume lower end to the likes of Samsung.

I just found out all new iCloud accounts require your mobile number for 2FA.

A friend is in a study abroad program and broke his iPhone. He bought a new one but can’t access his account because he no longer has a “trusted device” (his broken iPhone) to verify his login and since he’s overseas, can’t get the fallback SMS.

He basically has to wait until he returns.

So he set up 2 factor authentication, does not have access to one of the factors and now he can’t login? How is that Apples fault?

Note that you can also set it up to call you instead of sending texts; I presume he can take calls otherwise I don’t understand why he even took a phone with him.

He did not set up 2FA willingly. It is now required for all new Apple accounts.

He tried to find a way to disable it, but it is no longer possible.

If Apple had a 2FA method where he could use another email, that would have solved the problem. Or even using an app like Authy or Google Authenticator.

He is overseas, with no global roaming, and so is unable to receive calls or texts.

He took his phone because he planned on getting a local SIM card.

You can actually add more than one number so he could have added a family members or friends number. He might also be able to use the recovery procedure from this link to regain access after a waiting period:


Yes, if he had known this would happen, he could have done all those things.

Or if Apple did not force 2FA on new accounts, then this also wouldn’t have happened.

But they do and for very good reasons. Too bad your friend got caught in the cracks but it’s his own fault.

> since he’s overseas, can’t get the fallback SMS

This is one of the reasons I purchased a mobile/cell number from Twilio to use as a backup for all of the websites that only support 2FA via SMS (Apple, PayPal etc.).

The 2FA code gets sent to a channel on my own private Slack workspace via a webhook [1]. If I lose my phone I can always log into the Slack website on another device to access the code.

[1] https://www.twilio.com/docs/studio/tutorials/how-to-post-sms...

Have you tested that it works?

According to this other recent HN comment, Twilio numbers cannot be used for SMS verification. Banks and Gmail are mentioned:


"I have this problem because my main, personal number is actually a twilio number (as I built my own personal telco within twilio) and this means I cannot receive validation messages from shortcodes (like a bank)."

> Have you tested that it works?

Yes. I wouldn't have mentioned it if it didn't work.

Here's a screenshot showing the Apple and PayPal 2FA codes I have received through Slack via Twilio...


I also don't have any accounts with banks that are stupid enough to use SMS for 2FA [1] so I haven't needed to use my Twilio number for that purpose.

Using SMS for Gmail 2FA doesn't make any sense when Google supports U2F.

[1] https://motherboard.vice.com/en_us/article/mbzvxv/criminals-...

paypal also supports TOTP through an old trick. Look it up.

I tried to find the "old trick" but only end up on 404s or forum threads that end with "they must have closed that trick now".

Would you mind sharing a working source?

Perhaps they have close it now then. This was the source: https://medium.com/@dubistkomisch/set-up-2fa-two-factor-auth...

It's not shortcodes per se, those work fine for the most part.

Twilio/Google Voice (more generally, VOIP numbers) are explicitly being blocked (because it's possible to find out what type of number it is) at a number of services, likely to combat fraud.

I've found MSFT (Azure) and AWS to be recent examples of such services. Google itself does the same.

As further proof that I am not lying here's a screenshot from my Twilio messaging log...


62226 = PayPal and 51472 = Apple.

Apple's 2FA makes things much simpler for users who own multiple Apple devices (very easy to authorize a new iPhone from your iMac or iPad) but if you only have one, it's next to impossible to use reliably. You can't make a backup or use a third-party 2FA client, or a non-Apple device. They don't provide "traditional" TOTP two-factor authentication that you could use in many different TOTP-based authenticator programs.

edit: Mercifully, they at least allow you to enter the 'find my iPhone' section without needing the 2FA code.

It happened to me when I changed country and phone number, I couldn't identified my iCloud account.

I just follow the instructions on the login page that I did not have my device with me, and just entered my Recovery Key that was given to me when I setup 2FA.

It's as simple as that.

Mind you I use a password manager and keep all my login information in it.

Note that the “recovery key” is for the older “2 step verification.”

The newer “2 factor verification” does not have a recovery key.

I lost my Uber account since it got re-associated with a temporary prepaid SIM I used when traveling once, so now I'm cut off from 2FA. 2FA is a nightmare for users, but all the alternatives are worse.

> since he’s overseas, can’t get the fallback SMS


Many service providers silently fail to deliver SMS when one is roaming internationally, especially if not on a post-paid account

I think this must be a US thing, never heard of it in Europe.

Probably opted to buy a local SIM instead of using the one from his home country

Many service providers don't support roaming at all - especially on pre-paid accounts.

He doesn’t have international roaming.

I'm not sure that there is a subscription in Europe that doesn't include international roaming. At least I can't remember seeing one here in Norway. I suppose Europeans travel from country to country a lot more on average.

I've been using an Android app called XFi locator for the last couple of years whenever my wife loses her iPhone. Really simple and works perfectly.

I don't find this all that surprising, sadly - inside the Apple reality distortion field there are only Apple devices.

>> reality distortion field

Don’t attribute a seeming idiocy to something which is a clear sign of malice.

In case anyone, like me, doesn't know what appleid.apple.com is: It is Apple's single-sign-on portal for Apple IDs. Meaning if it errors out you cannot get an authentication token and use any Apple property (e.g. Apple Store, iCloud, developer portal, etc).

I just logged into https://www.icloud.com/ on my firefox/linux desktop -- had a popup on my iphone for the security number, but I'm logged in, can access find-my-iphone, etc.

Same. not sure where the blocking is occuring, but its not affecting me in any way. icloud.com works fine and thats just about all i need to do on a PC.

Same. I've been using a plain-jane Fedora box w/ Firefox and have had no problems accessing iCloud or creating app passwords.

Can you get the security number another way if you have lost the phone?

I have enough options set up in my iCloud account to cope with most failures

The SSO domain is idmsa.apple.com. appleid.apple.com is specifically the site for managing your AppleID (e.g. changing your name, password, trusted phone number, etc).

Apple ID is garbage, and I've been unable to reset my security questions due to Apple "not having sufficient information". Even calling Apple and having the agent try to reset the questions using a PIN did not work.

They escalated the ticket to some user department, where it promptly went nowhere. This was in October. When first dealing with this, I spent an hour on the phone with Apple. Clicking on my support ticket URL gives me the option to call them, but no way to email them back to inquire. It's a giant waste of time since Tier 1 agents go by script and cannot deviate without contacting a supervisor (whom I spoke to before).

So I guess I'm locked out of the system forever using my email address.

If you can login to your device then you should be able to reset by enabling 2FA in iCloud. See my reply above.

Apple ID 2FA uses one of your already logged in Apple hardware. For people using iPhone and didn't lose it that's fine. But for people don't carry an Apple hardware anywhere (for example I have an iMac at home), that's a lot of trouble.

That description is the issue I had, I do not have an iPhone.

I don't have any Apple devices.

Well this explains it. I was getting an HTTP 502 on appleid.apple.com while trying to add Apple Pay support to a product I am working on. I called apple support to tell them the site was down. The support agent told me, and I quote, "Our internet is Safari. We don't support Firefox."

I guess Apple doesn't want developers to support their products.

Never attribute to malice that which is adequately explained by stupidity. Apple isn't exactly known for their ability to provide reliable internet services.

This is IMHO a badly misconfigured WAF or possibly application config bug and not some kind of grand conspiracy to exclude certain Linux users.

Right. Time and attention costs money, and why would Apple spend that time and attention on being jerks to 2.14% of the desktop market?

Not sure why people are claiming this as malicious. If Apple thought making life inconvenient for linux users was a good idea, this is about the least effective possible way to do that. And it's unclear why Apple would want to do that in the first place.

Seems far more likely that Apple was facing some sort of automated attacks on this particular subdomain (with linux UAs), and a beleaguered admin used this as a quick fix.

Or, even more probably, it's a misconfiguration.

Remember when the only way to watch an Apple event live on their site was if you were using an Apple device?

It’s likely not malicious in the sense that they want to punish Linux users. And blocking Linux for this particular site may not have been something they even wanted to do. But in general Apple has been unnecessarily hostile towards non Apple devices, and it’s not hard to believe this is a consequence of that.

Likely the WAF (web application firewall) responding to malicious use that happened to use that user agent.

I doubt that could that be it. Blocking by user agent would be a terrible idea. Way too broad a net and could easily be abuse to shut down major browsers. Also easily bypassed by changing the agent name.

Does anyone have first hand experience with a WAF that did that?

It's quite common for extremely dumb bots to fake impossible UA's for various brute-force attack. Usually, something in the line of Microsoft Edge for PPC Linux or something equally silly. In such cases it's easy to get a WAF to block the impossible combinations. The bots are usually simple enough that such simple measures block a large amount of the botnet traffic.

In our case, we block the impossible combos and rate-limit the ones commonly used by botnets.

Blocking based on whether the UA has "Linux" in it is just dumb, though.

Much hyped "disruptive deep machine-learning smart AI" used for, i.e. fraud detection work the same way: by finding features commonly used by fraudsters and discriminating everyone having the same features (i.e. user agent, time of purchase, items purchased, even name on card).

Old-school non-computerized discrimination (i.e. racism) work exactly the same way.

> Blocking by user agent would be a terrible idea.

You know what else is a terrible idea? Blocking IP ports in firewalls, or MAC based filtering, yet both of these are ubiquitous practices. Don't think something is not happening because you think is a bad idea. Other people, usually the ones in charge will often disagree.

Yes, it’s possible. Not out of the box usually, but someone probably added a custom rule.

Especially if you’re facing an attack from a common UserAgent with all the other variables changing. And the admin likely thought “Linux users don’t use this service.”

I've seen Cloudflare block based on user-agent alone.

UA is a blocking mechanism in WAFs. Also, (Akamai or <web proxy> fix your shit), re-ordered HTTP headers do the same thing.

If you're behind a MITM web proxy at work, try going to Lowes.com - there's a chance you'll get blocked by their Akamai filter for putting headers back in the "wrong" (there is no wrong) way.

If so, someone is very stupid. Spoofing the user agent is extremely easy, so much so that many browsers have it as a built-in option for testing purposes. Blocking a user agent to keep hackers out is roughly as effective as taping a poster that says "NO CRIMINALS PLZ" over your front door.

Blocking user agents does not provide security, but it does increase the cost of attack which is perfectly acceptable as a part of a larger defence strategy.

It's like moving SSH to another port -- it won't stop anyone who knows what they're doing, but the majority of the bots that blindly connect to port 22 on every single host that has it open will be stopped by it.

If I were a criminal and saw a "NO CRIMINALS PLZ" sign on the door of a house, I think I'd be far less likley to break in...

That houseowner has probably set boobytraps etc.

It's interesting that Windows 7 and Chrome 72 doesn't work as well. Using Browserling, and httpbin to get the headers this combination doesn't work either:


Here's a screenshot of the headers by that Browserling instance type: https://imgur.com/a/Z7bGbpm

This has been going on for a while for a SaaS called “Browserling” that appears, from the thread, to emulate or host a browser of some sort in the cloud somehow.

Does this issue affect normal Linux desktop-hosted locally-operated “the standard way” browsers?

It doesn't work on Firefox 65.0.1 on Arch Linux, but it works perfectly with exactly the same browser version on FreeBSD. I guess they are filtering everything that specifically says "Linux"

Excellent, thank you for that.

On elementaryOS it also gives the 502 Bad Gateway on both Firefox and Epiphany.

It's working today!

Just tried it on my locally hosted Arch Linux desktop. It doesn't work. Firefox, Chromium. Doesn't matter. Doesn't work.

That was the point of the Twitter interaction. A way for Apple to repro easily, but they ignored. I can't believe this has gone on so long quite honestly. Then again it really shows the ecosystem lock-in. This is a great example though... Eventually why not lock out everything non-Apple? Hasn't seemed to have mattered much over a month.

I don't think the person who brought it up was aware the issue was associated with the Linux/X11 user agent, unfortunately, so couldn't provide support with the right information to actually reproduce the issue in a useful way. Still, it shouldn't have been an issue for this long, and who knows when they'll actually get around to fixing it. I don't think they're in a hurry to help Linux or Android users.

I would disagree. It is not the end users job to hand an organization like Apple the issue on a silver platter. The user presented a 100% reliable reproduction of the issue to Apple Support. Apple ignored it and defending them by saying it wasn't presented in a "useful way" is, in my opinion, diminishing both what was brought to Apple in a relatively complete way and Apple failing to simply acknowledge or understand there is a problem.

I agree it likely won't be fixed anytime soon. It probably impacts single digit (or less) percentages of their users.

Did he once mention what kind of OS, phone or device he was using? There's like no actionable information there.

Indirectly, yes - they did. All of this information can be deduced from the browser in Browserling that was referenced as working example to reproduce the error. There are many actionable data that can be deduced given what was provided to Apple.

While there are many others, the site below [0] could have been used from the Browserline instance in question to deduce header information which would have included the OS as you've requested. Someone in Apple Support could likely figure this out given that information and ability to reproduce.

[0] https://httpbin.org/#/Request_inspection/get_headers

I've checked browserling and it spins up a browser in a hosted VM.

Which browser?

Per the actual thread, they're not blocking "Linux", they're blocking "X11; Linux" (case-insensitive).

Remove any character from that string and it succeeds.

dang: are you able to update the title to reflect that it's not just 'linux' being blocked?

If that was true, then "Invoke-WebRequest -Uri https://appleid.apple.com -UserAgent '(Linux)'" would return a 200 status, but it returns a 502 Bad Gateway

You're right, that's blocked. User-agent "(Linux)" is blocked, however User-agent "Linux" is not, while "X11; Linux" is blocked.

When the whole battery debacle was happening, I could only reach the battery replacement page on Safari. On Chrome and Firefox, the pages would give and error (I wanna say the same gateway errror)

It is probably time for browsers to stop sending a user agent string.

That would just start an arms race where they would profile the browser to figure out what type it is.

Better to just leave it as a string you can spoof and let them pretend that it is good enough.

If intentional yes, but this is probably an accident. You can't accidentally take action on data you don't have.

Just yesterday I came across this issue trying to set up my podcast with iTunes. I probably would have gone crazy if I hadn’t seen this post.

When I wanted to submit my podcast to the iTunes directory, I had to install iTunes in Wine because iTunes for Windows is the only way to create an Apple ID that does not involve giving Apple a boatload of money.

And of course, iTunes in Wine did not allow me to paste passwords, so I had to type in the autogenerated password. And the autogenerated answers for the "security" questions. Fun.

Apple has a wall'ed-in garden

Google has a wall'ed-in garden

Facebook is trying to make a wall'ed-in garden

Does anyone else ever want to take out a flamethrower and just start from scratch...

Its so tiring

*Facebook is a walled garden

Apple is also sniffing UA (and doing some crazy heuristics with it) when delivering webpages to its apsptore. I think it's because they want to try to serve you a different webpage that opens up the appstore application when you are clicking on a link, but it just doesn't work reliably. It's a pain for me, my users, and an other instance of Apple just failing at the web.

user agent blocking is the most pointless kind - as you can set your string to whatever you want

   Services.prefs.setCharPref('general.useragent.override', 'apple spoof');

Exactly. Of all the groups that might know how to spoof UA, the linux community is the most likely.

Clearly they didn't think this through.

> Clearly they didn't think this through.

You're assuming this was a malicious move on Apple's part, as opposed to negligence or apathy.

Wow, yes I ran into this issue the other day. Had to use my phone to access. I assumed it was the network and moved on.

Can’t believe it was due to running Ubuntu. WTF!

I sent them a support tweet and think you all should too.

This doesn't surprise me at all. business.apple.com refuses me on Firefox. Tweak the UA to be Chrome and it works 100%.

I spoofed my UA to "Linux", got page loading normally and my login worked

Try "X11; Linux"

That doesn't necessarily mean they are willingly blocking linux, I've seen inconspicuous user agent strings triggering 502 errors before. It's just badly written code.

It's curious though, that the thread narrows it down to "X11; Linux", with that specific casing (update: nope, not case sensitive). Changing or removing any single char in that string stops the error.

Could it be that they identified a crash/vuln that involves X11 on Linux, or DDoS, or ATO, and proactively block that as an emergency mitigation?

I still vote for a filter gone awry, no need to be needlessly conspiracist.

They most likely had a reason to threat those people differently and a bug came up under that special case ;) Watch them fix it.

I agree with the first sentence, but would advise against holding your breath until they have fixed it.

s/threat/treat/, though.

Ah, yes, I concur with that. I thought you meant some generic parsing error related to the user agent string.

From the first comment of TFA:

> If I lowercase the 'L' it fails

so no, not that specific casing.

Ah, yeah. My head read failed as "failed to fail". Updated my comment.

Same, I read it twice to be sure because of the cognitive dissonance!

What browsers on Linux produce a User-agent containing that exact string _by default_, without user customization?

EDIT: Elsewhere in thread confirms Firefox and Chrome affected on lots of Linux.

I picked that up from the linked thread: 'So they're sniffing for "X11; Linux"'

Maybe just an oversimplified explanation, and it cares only about "X11;" and "Linux", regardless of whether they are together or not.

Mine only contains "X11; Fedora; Linux".

Yeah, I'd wager the firewall has a rule to check against bot traffic, which tend to come from Linux instances.

Probably overzealous, sure. Malicious? Doubtful.

Such a firewall could even have learned to block Linux user agents on its own. Similar to how some spam filters learn what email headers are associated with spammers. So if the firewall is seeing a lot of bad traffic with “X11; Linux” in their UA strings and little normal traffic with that in their UA strings then the firewall will take the presence of that as an indicator of possibly bad traffic.

Don't bots typically fake a windows/chrome user agent though? I guess there might be enough low effort bots that just throw up a default platform/curl user agent.

Narh, it's extremely common to see stuff like Firefox 34 for Linux trying to log into WordPress sites a few hundred times per hour. I guess it's old malware that lives on in hacked web sites that the owners abandoned.

any decent bot spoofs the UA string randomly to one of the top 10 most frequent UA strings. That's like a number 2 feature after the one the bot was built for.

I'm pretty sure they have integration tests to make sure that it doesn't block iOS devices. Not having those tests for common Linux browsers is... Apple.

A service we use has just started banning logins from the whole country of Japan on their cloudflare, just about to contact them about this. At this point I'm still willing to assume it's an automated filter gone wild and not some odd xenophobia

Set my user agent to ' ' (single space character) in latest Safari on a new Mac. Get a 403 Forbidden.

Same thing for itunes billing, when clicking the link in your invoice email

Maybe they were getting attacked, and blocked a particular user agent.

I’ve had to do that before.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact