The other day my friend lost his iPhone. He tried to use my Android to find it, but Apple's site just says it's unsupported. Really thoughtful of Apple to make that feature unavailable right when users need it the most.
Let's put an emphasis on the fact that this cannot be a technical limitation, as everyone else in the world manages to build websites that work on most devices, including android.
The appleid is a security nightmare anyway. I used to use an account, associated to an email I own, with a password I know, and still I can not log in, because it keeps asking the insecure "personal questions" that I never answer, because [generic privacy statement] and because I use a cryptagraphically secure password manager. As I did not save the personal questions I answered when signing up (tbh I probably just put garbage, as those are usually never asked when you know the password), and now I just cannot access it.
That's right, I own the email address and I know the password, and yet I cannot access my account. However, knowing who was my best friend when I was a teenager, or what was the name of my first pet are questions, in spite of being known by dozens of friends or acquaintances, that Apple requests as security measures needed to trust me as the owner of the acount.
Having them on the phone provides zero help, 1 year later, I still cannot access it. It's definitively lost, and I feel happy I do not have any important information stored on the apple cloud.
It’s kind of insane that they do that considering the majority of phones are androids. It means many people are almost certainly going to need your laptop which really limits how it can be used.
I just found out all new iCloud accounts require your mobile number for 2FA.
A friend is in a study abroad program and broke his iPhone. He bought a new one but can’t access his account because he no longer has a “trusted device” (his broken iPhone) to verify his login and since he’s overseas, can’t get the fallback SMS.
In case anyone, like me, doesn't know what appleid.apple.com is: It is Apple's single-sign-on portal for Apple IDs. Meaning if it errors out you cannot get an authentication token and use any Apple property (e.g. Apple Store, iCloud, developer portal, etc).
I just logged into https://www.icloud.com/ on my firefox/linux desktop -- had a popup on my iphone for the security number, but I'm logged in, can access find-my-iphone, etc.
The SSO domain is idmsa.apple.com. appleid.apple.com is specifically the site for managing your AppleID (e.g. changing your name, password, trusted phone number, etc).
Apple ID is garbage, and I've been unable to reset my security questions due to Apple "not having sufficient information". Even calling Apple and having the agent try to reset the questions using a PIN did not work.
They escalated the ticket to some user department, where it promptly went nowhere. This was in October. When first dealing with this, I spent an hour on the phone with Apple. Clicking on my support ticket URL gives me the option to call them, but no way to email them back to inquire. It's a giant waste of time since Tier 1 agents go by script and cannot deviate without contacting a supervisor (whom I spoke to before).
So I guess I'm locked out of the system forever using my email address.
Well this explains it. I was getting an HTTP 502 on appleid.apple.com while trying to add Apple Pay support to a product I am working on. I called apple support to tell them the site was down. The support agent told me, and I quote, "Our internet is Safari. We don't support Firefox."
I guess Apple doesn't want developers to support their products.
Never attribute to malice that which is adequately explained by stupidity. Apple isn't exactly known for their ability to provide reliable internet services.
This is IMHO a badly misconfigured WAF or possibly application config bug and not some kind of grand conspiracy to exclude certain Linux users.
Not sure why people are claiming this as malicious. If Apple thought making life inconvenient for linux users was a good idea, this is about the least effective possible way to do that. And it's unclear why Apple would want to do that in the first place.
Seems far more likely that Apple was facing some sort of automated attacks on this particular subdomain (with linux UAs), and a beleaguered admin used this as a quick fix.
Remember when the only way to watch an Apple event live on their site was if you were using an Apple device?
It’s likely not malicious in the sense that they want to punish Linux users. And blocking Linux for this particular site may not have been something they even wanted to do. But in general Apple has been unnecessarily hostile towards non Apple devices, and it’s not hard to believe this is a consequence of that.
I doubt that could that be it. Blocking by user agent would be a terrible idea. Way too broad a net and could easily be abuse to shut down major browsers. Also easily bypassed by changing the agent name.
Does anyone have first hand experience with a WAF that did that?
If so, someone is very stupid. Spoofing the user agent is extremely easy, so much so that many browsers have it as a built-in option for testing purposes. Blocking a user agent to keep hackers out is roughly as effective as taping a poster that says "NO CRIMINALS PLZ" over your front door.
It's interesting that Windows 7 and Chrome 72 doesn't work as well. Using Browserling, and httpbin to get the headers this combination doesn't work either:
This has been going on for a while for a SaaS called “Browserling” that appears, from the thread, to emulate or host a browser of some sort in the cloud somehow.
Does this issue affect normal Linux desktop-hosted locally-operated “the standard way” browsers?
If that was true, then
"Invoke-WebRequest -Uri https://appleid.apple.com -UserAgent '(Linux)'"
would return a 200 status, but it returns a 502 Bad Gateway
When the whole battery debacle was happening, I could only reach the battery replacement page on Safari. On Chrome and Firefox, the pages would give and error (I wanna say the same gateway errror)
When I wanted to submit my podcast to the iTunes directory, I had to install iTunes in Wine because iTunes for Windows is the only way to create an Apple ID that does not involve giving Apple a boatload of money.
And of course, iTunes in Wine did not allow me to paste passwords, so I had to type in the autogenerated password. And the autogenerated answers for the "security" questions. Fun.
Apple is also sniffing UA (and doing some crazy heuristics with it) when delivering webpages to its apsptore.
I think it's because they want to try to serve you a different webpage that opens up the appstore application when you are clicking on a link, but it just doesn't work reliably.
It's a pain for me, my users, and an other instance of Apple just failing at the web.
[+] [-] Canada|7 years ago|reply
[+] [-] invaliduser|7 years ago|reply
The appleid is a security nightmare anyway. I used to use an account, associated to an email I own, with a password I know, and still I can not log in, because it keeps asking the insecure "personal questions" that I never answer, because [generic privacy statement] and because I use a cryptagraphically secure password manager. As I did not save the personal questions I answered when signing up (tbh I probably just put garbage, as those are usually never asked when you know the password), and now I just cannot access it.
That's right, I own the email address and I know the password, and yet I cannot access my account. However, knowing who was my best friend when I was a teenager, or what was the name of my first pet are questions, in spite of being known by dozens of friends or acquaintances, that Apple requests as security measures needed to trust me as the owner of the acount. Having them on the phone provides zero help, 1 year later, I still cannot access it. It's definitively lost, and I feel happy I do not have any important information stored on the apple cloud.
[+] [-] rukenshia|7 years ago|reply
source: lost my phone and went full panic mode when it said "unsupported" and fiddled around with it for 30 minutes on an android phone
[+] [-] swiley|7 years ago|reply
[+] [-] throwaway45901|7 years ago|reply
A friend is in a study abroad program and broke his iPhone. He bought a new one but can’t access his account because he no longer has a “trusted device” (his broken iPhone) to verify his login and since he’s overseas, can’t get the fallback SMS.
He basically has to wait until he returns.
[+] [-] jcul|7 years ago|reply
[+] [-] lscotte|7 years ago|reply
[+] [-] Someone1234|7 years ago|reply
[+] [-] isostatic|7 years ago|reply
[+] [-] eridius|7 years ago|reply
[+] [-] Severian|7 years ago|reply
They escalated the ticket to some user department, where it promptly went nowhere. This was in October. When first dealing with this, I spent an hour on the phone with Apple. Clicking on my support ticket URL gives me the option to call them, but no way to email them back to inquire. It's a giant waste of time since Tier 1 agents go by script and cannot deviate without contacting a supervisor (whom I spoke to before).
So I guess I'm locked out of the system forever using my email address.
[+] [-] wila|7 years ago|reply
[+] [-] jniedrauer|7 years ago|reply
I guess Apple doesn't want developers to support their products.
[+] [-] ctime|7 years ago|reply
This is IMHO a badly misconfigured WAF or possibly application config bug and not some kind of grand conspiracy to exclude certain Linux users.
[+] [-] ld00d|7 years ago|reply
[+] [-] czr|7 years ago|reply
Seems far more likely that Apple was facing some sort of automated attacks on this particular subdomain (with linux UAs), and a beleaguered admin used this as a quick fix.
Or, even more probably, it's a misconfiguration.
[+] [-] addicted|7 years ago|reply
It’s likely not malicious in the sense that they want to punish Linux users. And blocking Linux for this particular site may not have been something they even wanted to do. But in general Apple has been unnecessarily hostile towards non Apple devices, and it’s not hard to believe this is a consequence of that.
[+] [-] rblatz|7 years ago|reply
[+] [-] MichaelApproved|7 years ago|reply
Does anyone have first hand experience with a WAF that did that?
[+] [-] PhasmaFelis|7 years ago|reply
[+] [-] windexh8er|7 years ago|reply
https://mobile.twitter.com/xdaroj/status/1090319095134867459
[+] [-] windexh8er|7 years ago|reply
https://www.browserling.com/browse/win/7/chrome/72/https%3A%...
Here's a screenshot of the headers by that Browserling instance type: https://imgur.com/a/Z7bGbpm
[+] [-] floatingatoll|7 years ago|reply
Does this issue affect normal Linux desktop-hosted locally-operated “the standard way” browsers?
[+] [-] oarsinsync|7 years ago|reply
Remove any character from that string and it succeeds.
dang: are you able to update the title to reflect that it's not just 'linux' being blocked?
[+] [-] zovin|7 years ago|reply
[+] [-] kirion25|7 years ago|reply
https://www.reddit.com/r/linux/comments/atc0av/apples_apple_...
[+] [-] ear7h|7 years ago|reply
[+] [-] jrockway|7 years ago|reply
[+] [-] jandrese|7 years ago|reply
Better to just leave it as a string you can spoof and let them pretend that it is good enough.
[+] [-] npmaile|7 years ago|reply
[+] [-] majewsky|7 years ago|reply
And of course, iTunes in Wine did not allow me to paste passwords, so I had to type in the autogenerated password. And the autogenerated answers for the "security" questions. Fun.
[+] [-] dstola|7 years ago|reply
Google has a wall'ed-in garden
Facebook is trying to make a wall'ed-in garden
Does anyone else ever want to take out a flamethrower and just start from scratch...
Its so tiring
[+] [-] askvictor|7 years ago|reply
[+] [-] Jyaif|7 years ago|reply
[+] [-] svnpenn|7 years ago|reply
[+] [-] vkhn|7 years ago|reply
Clearly they didn't think this through.
[+] [-] RileyJames|7 years ago|reply
Can’t believe it was due to running Ubuntu. WTF!
[+] [-] solarkraft|7 years ago|reply
[+] [-] gargravarr|7 years ago|reply
[+] [-] mirages|7 years ago|reply
[+] [-] aembleton|7 years ago|reply