Firewalla Gold Plus - iPhone and Paypal

Comments

35 comments

  • Official comment
    Avatar
    Firewalla

    We found the issue and it may be just a Paypal app bug. What happens is, PayPal while doing 2FA always queries a domain name "undefined"[.]lan (or whatever local domain is), and since this is an invalid domain on the LAN, firewalla will not reply. Then ... paypal app will hang there. (we are still trying to understand more on even how to fix this issue ... since Paypal app if funky)

    What you can do is add a rule to block "undefined[.]lan" or whatever your local domain is, it will work, for example

    Comment actions Permalink
  • Avatar
    Firewalla

    Do you have any rules that may potentially block Paypal? look for things that have a "default" block mode. (default will block things that related to Paypal IP addresses)

    Was the Paypal list created by you?

    0
    Comment actions Permalink
  • Avatar
    pylorns

    Yes, I just created this paypal target list today when I was troubleshooting.  I'm not seeing anything that stands out - could ad blocker be causing this to not work?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Ad blocker shouldn't block paypal. Have you tried to turn it off and see?

    0
    Comment actions Permalink
  • Avatar
    pylorns

    Ok so the problem only happens on my iPhone and not my PC - so that would eliminate (I would think) it being firewalla. But still strange that when its on wifi on the network is not loading. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    When your iphone is not working, can you tap on devices->iphone->networkflow and look at the blocked flow? and see if there is anything there may be blocking? if there is something, tap on it and then do a diagnostic on it ...

    0
    Comment actions Permalink
  • Avatar
    pylorns

    Just mask.icloud.com and mask-h2.icloud.com show up under blocked.

    0
    Comment actions Permalink
  • Avatar
    pylorns

    Turning off or on apple wifi privacy on the iPhone also has no impact. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Can you try turn on icloud private browsing and then use safarai to access Paypal? some one told me one user had an issue and likely it is because Paypal some how didn't like the IP address, and cloud private browsing was able to get through 

    0
    Comment actions Permalink
  • Avatar
    pylorns

     

     

    It just hangs. 

     

    0
    Comment actions Permalink
  • Avatar
    Harald Schardt

    I recently switched my purple to beta 1.975. on that release I had the same problems on my iOS devices. I just switched back to stable 1.9742 and the problems are gone!

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Do you have the same issue accessing Paypal? @harald? 

    0
    Comment actions Permalink
  • Avatar
    Harald Schardt

    Yeah. I had the exact same problem with PayPal on 1.975.

    0
    Comment actions Permalink
  • Avatar
    Christopher Coco

    Having the exact same problem with an FWG also on 1.975. Nothing showing up in the blocked flows that seem PayPal related, and anecdotally it appears to be related to how PayPal presents the 2FA challenge as that is where the flow stalls.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Are all of your tests the app or web? If you go to LTE will the problem go away? And will emergency mode (rules->top right corner->turn on emergency access) work?

    0
    Comment actions Permalink
  • Avatar
    Christopher Coco

    I have tried app and web on iPhone. I just tried it on LTE and it works as expected. When I switch back to my home Wi-Fi (with the FWG as a router), I get the problem (I have Private Wi-Fi Address disabled for the iPhone). Turning on emergency mode also lets me through and I can get the 2FA challenge and get into my account. FWIW, the problem happens not just when logging into your account but also when trying to complete a purchase (since credentials and the 2FA are required then as well) -- which is what I originally hit (I couldn't complete a purchase on the web, then couldn't get in via the app nor then the web). 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Okay, thank you for the information. We are trying to reproduce the issue here ... may I know what DNS you are setting? and are you in the states? 

    0
    Comment actions Permalink
  • Avatar
    pylorns

    Using DNS over HTTPS with servers: Cloudflare, Quad9 selected. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Is this problem only occur on the Paypal app? if it does, may I know if you are android or iOS? We are testing it now ...

    0
    Comment actions Permalink
  • Avatar
    Christopher Coco

    I'm in the US, San Francisco Bay Area. Originally, I had Google DNS (8.8.8.8, 8.8.4.4) but switched to Cloudflare in trying to triage this issue (1.1.1.1, 1.0.0.1). I'm running with DNS over HTTPS as well and originally had all the default servers selected but now just the default Cloudflare and the Cloudflare with Malware server added manually. I have DNS booster turned on for all devices. I have the DoH Servers target list blocked for all devices. I've been running DNS over HTTPS with the DoH Server target list blocked for some time with no issues.

    0
    Comment actions Permalink
  • Avatar
    Christopher Coco

    The issue is with the app and with the web and seems to be when the 2FA challenge is supposed to be presented. FWIW, it doesn't happen with the PayPal for business app. Only the main consumer app. I have only tested on iPhone and my Macbook Pro. I can reproduce it on the iPhone with both the app and in Safari and Chrome. I can also reproduce it on my Macbook Pro in Safari and Chrome.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Thanks, we are still trying to reproduce it. We have something, but not consistently having the issue, so we are not sure if it is the Paypal side, DNS related or just our office space is not working well. (we have one instance, that the 2FA screen doesn't show anything ...)

    If anyone using android, please let us know if you have the same issue. 

    0
    Comment actions Permalink
  • Avatar
    pylorns

    You can pair two phones with the firewalla correct? I have an android I can pair and test with as well. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Sorry, I mean testing the paypal issue on android vs. iOS ... we have many theories ...

    0
    Comment actions Permalink
  • Avatar
    Christopher Coco

    I have a Lenovo M8 Tablet and just tried it in Chrome and with the PayPal app from the Playstore on my Wi-Fi and no issues. So yes, seems like it may be specific to Apple devices.

    0
    Comment actions Permalink
  • Avatar
    Christopher Coco

    This solution appears to work not only for the PayPal app but also for the web (with Chrome and Safari) on an iPhone (haven't tried it on the Macbook). FWIW, it looks like potentially there's necessary Javascript (and the PayPal favicon) being requested (likely due to a bug?) from the "undefined" domain. Thanks for the help.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Wow, thanks! May I include this in our release note? I can attribute this to this thread (with a link to your message) we are pulling our hair out for a few days and ... this just wild ... 

    0
    Comment actions Permalink
  • Avatar
    Christopher Coco

    Yep, it’s OK with me, though you may want to check with the OP. And yeah, this is an odd one.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    For sure ... this is definitely one of the hardest issues we found; mainly because none of us really thought about a potential bug in the Paypal software ... until tcpdump happens. 

    0
    Comment actions Permalink
  • Avatar
    pylorns

    Yep that temp fix worked like a champ.  Great job, gave you guys some mental exercise with this bug.

    0
    Comment actions Permalink

Please sign in to leave a comment.