• Please review our updated Terms and Rules here

Mouser "Access Denied" message?

SomeGuy

Veteran Member
Joined
Jan 2, 2013
Messages
4,536
Location
Marietta, GA
Anyone else getting this "Access Denied" message when trying to use search or view products on Mouser.com?

I know a couple of weeks ago they were having some major slowdowns on their web site. Everything is falling apart these days.

MouserAccessDenied.png
 
Yes, I've also been getting banned as a "bot" lately. Even if I log into my account first (LOL). I went so far as to fill out the form to complain about it, and got no response.

I've had similar problems on Digikey for a couple years now.
 
I got fed a CAPTCHA recently; I suspect when I tried to use the keyboard to walk through some of the filters, it probably generated large numbers of filtered-search requests at once.
 
Well, I'm still seeing the error. It's extra dumb that it will let me log in from the main page and then crap in my face when I try to search or view a product. I'm a paying customer, but it can't put 2 and 2 together.
 
Well, I'm still seeing the error. It's extra dumb that it will let me log in from the main page and then crap in my face when I try to search or view a product. I'm a paying customer, but it can't put 2 and 2 together.
Try a phone call.
 
This looks like someone could be trying to hack or DDoS them, though that's just my guess, I don't really know what's going on.
 
This looks like someone could be trying to hack or DDoS them, though that's just my guess, I don't really know what's going on.

More likely gross incompetence. I had to call their help desk because they screwed up my order and the normal report form was broken and would throw random errors trying to use it. The lady on the phone said they were having some major problems on the backend of their website, that's an understatement.

I haven't been able to view my profile for several weeks either, it just says the page doesn't exist.
 
ARRRRAAAAG! I finally got a few minutes to mess with it, and I find that changing my user agent to look like a plain vanilla web browser on a plain vanilla Windows lets me in.

They are user agent sniffing! What, is this 1998?! Best Viewed in Microsoft Internet Explorer 4 on Microsoft Windows 98 ?

Because no malware/DDOS can use a common user agent? Please, malware vendors make your user agents look like smartphones!

Browser agent sniffing is practically the definition of incompetence. Of course, no one has dedicated IT staff any more. No value in keeping knowledgeable people around who can become familiar with your specific systems and prevent stuff from falling apart in the first place. Everything has to be reactive, and even then it is burried in a thousand layers of bureaucracy.

Edit: After trying a few different user agents - and it looks like they will wind up blocking at least a few different Linuxes - it gave me some kind of captcha puzzle and then went ahead anyway and set a COOKIE in my browser to tell me I'm blocked no matter what UA. A cookie? Well, reset that, and at least my IP address is not blocked... yet.
 
Last edited:
User agent checks are standard practice in web design, and have been since the very beginning of the internet. Without them, you can't tell who is looking at your website, which is especially important these days with the vast number of different web browsers and versions of those browsers. It's also extremely important for security, bad actors may abuse agent strings, which can be used to detect malicious behavior.

Without user agent checking, you wouldn't be able to determine which version of your site you serve to the client. Desktop, mobile, HTML only or something else based on the client's browser. The Macintosh Repository uses user agent checking to determine if you're running on a real classic Macintosh (or an emulator), and will disable SSL and download limits if you are.

Agent checks were especially important in the IE era, because IE didn't conform to web standards and was so hideously broken that web developers had to maintain an entirely separate copy of the website JUST for IE users to avoid getting complaints about broken pages. I hated hosting websites back then, half of each page would contain huge blocks of exception code to work around broken IE problems. Thankfully it's not as much of an issue anymore, but different versions of the same modern browsers can still handle pages in unpredictable ways. There was a defcon presentation some years back
 
It's also extremely important for security, bad actors may abuse agent strings, which can be used to detect malicious behavior.
I would love to hear details on exactly how someone "abusing" a user agent can become a security issue.

My assumption, based on Mouser's messages, is that someone was using a scripting tool to guzzle their site content. And such scripting tools may happen to use a different user agent so sites can handle/throttle/block such tools. But Mouser went overboard and blocked everything they considered "non-standard", including things people might need for accessibility.

Such tools never had to identify themselves differently in the first place. What security issue would that cause? If we are talking about a DOS/DDOS, then there is simply an issue with their site resources.
 
I would love to hear details on exactly how someone "abusing" a user agent can become a security issue.

Your contempt for seemingly innocuous user agent strings is the mindset that allowed ACE/RCE using CVE-2021-44228.

When threat actors can use activity status LEDs on network ports to steal data on airgapped systems, you can't dismiss anything as a potential threat source in computer security.
 
Let's be perfectly clear here: while it may be possible to perform exploits by user-agent spoofing, that's not why anybody implements things like this. It is 100% down to a "we don't want to bother making sure our vastly overcomplicated site design works on anything other than (IE | Chrome | Edge), but we don't want to look like fools when it breaks, so if you're not on the Approved Browser List, here's a big screw-you page instead" mindset, and always has been.
 
Back
Top