PSA: Unauthorized API use can disable your FordPass account

[Logal727]

There's likely hundreds if not thousands of people using those integrations. I think they would have a mess on their hands if they did that. But true, there's no guarantee of anything, kinda like our HVBJB's

I should add that Ford specifically states that the API can be used with smart home products. It's part of the developer access information.

I think it's a poor choice of data security in general to block someone for something so trivial. If it was a bad actor they would just use the right user agent and get right through. Also the block isn't instant, it takes a day or 2. The damage could have been done.

They should get on the ones using the official user agent that are pinging for updates so many times they drain your 12v. Looking at you, Optiwatt.

Sponsored

 

[DevSecOps]

They should get on the ones using the official user agent that are pinging for updates so many times they drain your 12v. Looking at you, Optiwatt.

Hey now ... I've done that too. Purely for scientific research of course.

 

[kennelh]

have confirmed that Ford looks at the user agent string and will lock your account if you call the API with an unapproved user agent. Postman, for example, is an instant block on your account.

Individuals who query the endpoint with an unauthorized user agent string while using the Ford.com authentication tokens will be subsequently presented with a CSIAH0320E error when trying to login. Ford customer service doesn't see the account being suspended because they need the account to remain active for things such as Ford Motor Credit.

The only way to get unblocked is to contact the customer support team and ask them to file a ticket with the IT Security Team. They will likely ask you your "intentions" and then decide if they should unlock your account.

So what's the phone number for the customer support team? Asking for a friend who got the CSIAH0320E this morning

 

[DevSecOps]

So what's the phone number for the customer support team? Asking for a friend who got the CSIAH0320E this morning

? ? ? ? ?

No phone number. I'll send you a DM with the email address. You have to email them and it will take a couple days.

 

[Logal727]

So what's the phone number for the customer support team? Asking for a friend who got the CSIAH0320E this morning

You gotta stop trying to hack into Farley’s Lightning

 

[DevSecOps]

You gotta stop trying to hack into Farley’s Lightning

But ... it was a friend!! Ken would never do such a thing

 

[kennelh]

But ... it was a friend!! Ken would never do such a thing

I should have kept a closer eye on my evil twin Kent. He's always causing trouble.

 

[sockmeister]

I know this is an older thread and I debated making a new thread on this but figured that most people won't be attempting to query the Ford Endpoints.

I have confirmed that Ford looks at the user agent string and will lock your account if you call the API with an unapproved user agent. Postman, for example, is an instant block on your account.

Individuals who query the endpoint with an unauthorized user agent string while using the Ford.com authentication tokens will be subsequently presented with a CSIAH0320E error when trying to login. Ford customer service doesn't see the account being suspended because they need the account to remain active for things such as Ford Motor Credit.

The only way to get unblocked is to contact the customer support team and ask them to file a ticket with the IT Security Team. They will likely ask you your "intentions" and then decide if they should unlock your account.

It doesn't look like HA plugins or mobile widgets will cause this because they are obtaining a different auth token specifically for their application and using the correct user agent.

My take - This is dumb. It's your data and Ford is upset that you're accessing your own vehicles data. I don't know the extent of how they apply the bans but it would be interesting to test with someone else's VIN to see if it causes their account to be locked. I'm not gonna be the guy that tries that though.

Well, I'm definitely glad to have another point of confirmation that this was indeed the issue. Sorry it happened to you, @DevSecOps ! Welcome to my boat! ?
This was the reason that I never posted my app, because I was afraid of spreading something that would get peoples' accounts locked, but ever since I changed the user-agent, I've been using it without consequence.

Let me know if you need help unlocking it, though it sounds like you already have.

 

[Jonis]

? ? ? ? ?

No phone number. I'll send you a DM with the email address. You have to email them and it will take a couple days.

I´d like a DM also (also got the CSIAH0320E)

 

[jrdelong1043]

? ? ? ? ?

No phone number. I'll send you a DM with the email address. You have to email them and it will take a couple days.

I’m getting the same error code as of last night. Can you DM the email? Thanks!

 

[kennelh]

For what it's worth, I still waiting for a reply from Ford about how to get this fixed. I ended up creating another account with a different e-mail address.

 

[kennelh]

@Jonis and @jrdelong1043 ; were either of you using my widget or @tonesto7 's?

 

[jrdelong1043]

@Jonis and @jrdelong1043 ; were either of you using my widget or @tonesto7 's?

I was using Optiwatt app.

 

[Solares]

I haven’t checke/tested anything yet. But from latest information Ford has now a API the call “Ford User”.
I am seeing more and more apps that use this as Authenticator method for power mgm. Also I have got hold of contact information for someone that can help me get info for the API.

My point being. I don’t think there is a need for wacky Auth methods any longer.

 

[sockmeister]

I haven’t checke/tested anything yet. But from latest information Ford has now a API the call “Ford User”.
I am seeing more and more apps that use this as Authenticator method for power mgm. Also I have got hold of contact information for someone that can help me get info for the API.

My point being. I don’t think there is a need for wacky Auth methods any longer.

is "Ford User" supposed to be an open API for app developers?

Sponsored