Strange CFNetwork User-Agents

Forum Moderators: open

Message Too Old, No Replies

Strange CFNetwork User-Agents

com.apple.WebKit.WebContent

dstiles

5:53 pm on Feb 18, 2015 (gmt 0)

I'm getting a lot of UAs for apple CFNetwork / Darwin devices with an odd introduction. The intro phrase is part of the webkit's coding but I think it may be escaping via some kind of flaw. However, it's coming in from a lot of sources and seems to mean no harm so it's getting through for now. Headers are ok-ish. Not sure how long this has been happening but probably months.

Full UA:
com.apple.WebKit.WebContent/10600.3.18 CFNetwork/720.2.4 Darwin/14.1.0 (x86_64)

wilderness

6:36 pm on Feb 19, 2015 (gmt 0)

I'm only getting a few of these, and for image requests only.

I've also a few similar image requests with:
"MobileSafari/600.1.4 CFNetwork/711.1.16 Darwin/14.0.0

lucy24

7:46 pm on Feb 19, 2015 (gmt 0)

for image requests only

The basic "Darwin" has got something to do with image search in mobiles if I remember rightly. But the prepended "com.apple.WebKit" is odd.

:: detour to check ::

Oh, here's one.

com.apple.WebKit.Networking/10600.1.25 CFNetwork/720.0.9 Darwin/14.0.0 (x86_64)

Came shortly after a human visit; the UA for the other stuff was

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25

Now that's interesting, because that's not a mobile.

dstiles, see if you find anything similar. I'm guessing it's something in Safari 8, which currently implies OS 10.10. (OS <= 10.9 can only support Safari 7; at various earlier versions the cutoff is Safari 6 or even 5.)

dstiles

9:42 pm on Feb 21, 2015 (gmt 0)

Thanks, Lucy. On a randomly-chosen site that has both HTTP and HTTPS (although the site immediately redirects to HTTPS), from a single IP I have a sequence of (time,page, port, response,ua)...

01:01:47 - (index.asp [port 80] 200) Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_10_2)+AppleWebKit/600.3.18+(KHTML,+like+Gecko)+Version/8.0.3+Safari/600.3.18

01:01:47 - (favicon.ico [port 80] 404) Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_10_2)+AppleWebKit/600.3.18+(KHTML,+like+Gecko)+Version/8.0.3+Safari/600.3.18

01:01:47 - (index.asp [port 80] 200) Mozilla/5.0+(iPhone;+CPU+iPhone+OS+8_1+like+Mac+OS+X)+AppleWebKit/600.1.4+(KHTML,+like+Gecko)+Version/8.0+Mobile/12B410+Safari/600.1.4

01:01:47 - (apple-touch-icon-precomposed.png [port 80] 301) com.apple.WebKit.WebContent/10600.3.18+CFNetwork/720.2.4+Darwin/14.1.0+(x86_64)

01:01:47 - (/ [port 80] 302) com.apple.WebKit.WebContent/10600.3.18+CFNetwork/720.2.4+Darwin/14.1.0+(x86_64)

01:01:53 - (/ [port 443] 200) com.apple.WebKit.WebContent/10600.3.18+CFNetwork/720.2.4+Darwin/14.1.0+(x86_64)

01:01:53 - (apple-touch-icon.png [port 80] 301) com.apple.WebKit.WebContent/10600.3.18+CFNetwork/720.2.4+Darwin/14.1.0+(x86_64)

01:01:53 - (/ [port 80] 302) com.apple.WebKit.WebContent/10600.3.18+CFNetwork/720.2.4+Darwin/14.1.0+(x86_64)

01:01:53 (/ [port 443] 200) com.apple.WebKit.WebContent/10600.3.18+CFNetwork/720.2.4+Darwin/14.1.0+(x86_64)

(NOTE: + instead of spaces as it's direct from logs)

Apart from anything else, images associated with an HTTPS page should surely be fetched using SSL? Browsers object if on-page images are non-SSL and I would expect the same for icons, since technically I could tell the site not to serve ANYTHING to port 80 (in fact, this site only uses port 80 for backwards compatibilty with users' old bookmarks).

I have a few other entries of similar format, though not always identical.