Garmin account deactivated probably due to gcexport

[octomike]

I've been in rather stressful contact with Garmin over the last 2 weeks because my account got deactivated - twice. I used to use this script to auto-sync my activities once every hour.

After lengthy discussions with the user support they concluded that I should disable the program because it makes calls to their SSO service (??? of course it does). I can't quote here, because it's prohibited to disclose information from that communication ( 🙄 ). Apparently they also implemented a new service a couple of weeks back and my guess is that it erroneously auto-detects the syncer as a malicious program and locks the account.

I primarily opened this issue for people in the same situation. If you are greeted with this (incorrect) message:

Welcome back! We hadn’t seen you in a while, so your account was
temporarily deactivated. To reactivate your account, follow the
instructions in the email we just sent to the email address below.

chances are you are also locked out. Don't wait for that e-mail, because it never arrives. Don't try to reset your password, it won't work. You have to open a ticket and they have to manually reset your account with a password.

[cristian5th]

I might be writing a nonsense, but there are other python apps connecting to Garmin and there is some discussions stating that Garmin is now behind Cloudfare. This seems to change the way the requests need to be made.

On the bright side, Python seems to have a library called CloudScrapper that seems to take care of the solution.

This project, for example, is using CloudScrapper to read information from Withings, create a FIT file with that information and send this file to Garmin Connect:
https://github.com/jaroslawhartman/withings-sync.git

Once again, I'm not expert and maybe all I'm writing is false but if some of you have better knowledge, this info might help.

[pe-st]

I have never seen the quoted message, and my account was never locked out. But this is of course no proof that it can't happen. And a service like Garmin Connect is supposed to change form time to time, maybe also only for some users (e.g. with blue-green deployment) or some geographical locations (different data centers), so it might happen for some users and not for others.

With my tests I have already run into different errors (e.g. Error 429 Too many requests or Error 403 Forbidden), but these were never permanent. I would be careful to run this script as cron job however, every hour seems quite often.

In fact just today I observed a strange behaviour of getting HTTP Error 403 when running with Python 2.7.18, but not with 3.9.0. And I can see in the gcexport.log that the login URLs are different, but I haven't had the time to investigate in detail.

@octomike What Python version are you using? What HTTP error did you get (should have been written to the log file)?

[octomike]

TIL that there is a large log file tracking my login attempts 😅

This seems to be the first round of the cron job that initially triggered a password reset process (I got 6 mails / 1 every hour) and later resulted in my account being locked.

021-05-04 07:05:01,912 [INFO   ] Starting gcexport.py version 3.0.3, using Python version 2.7.16
2021-05-04 07:05:01,916 [INFO   ] New logfile level: DEBUG
2021-05-04 07:05:01,916 [DEBUG  ] New console log level: INFO
2021-05-04 07:05:01,916 [WARNING] Output directory /srv/sync/mk/garmin/ already exists. Will skip already-downloaded files and append to the CSV file.
2021-05-04 07:05:01,917 [DEBUG  ] Login params: webhost=https%3A%2F%2Fconnect.garmin.com&locale=en_US&rememberMeShown=true&generateNoServiceTicket=false&id=gauth-widget&service=https%3A%2F%
2Fconnect.garmin.com%2Fmodern%2F&connectLegalTerms=true&redirectAfterAccountCreationUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&displayNameShown=false&redirectAfterAccountLoginUrl=http
s%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&source=https%3A%2F%2Fconnect.garmin.com%2Fen-US%2Fsignin&rememberMeChecked=false&generateExtraServiceTicket=true&openCreateAccount=false&showPasswor
d=true&createAccountShown=true&embedWidget=false&initialFocus=true&gauthHost=https%3A%2F%2Fsso.garmin.com%2Fsso&globalOptInChecked=false&cssUrl=https%3A%2F%2Fstatic.garmincdn.com%2Fcom.garm
in.connect%2Fui%2Fcss%2Fgauth-custom-v1.2-min.css&locationPromptShown=true&globalOptInShown=true&mobile=false&clientId=GarminConnect&generateTwoExtraServiceTickets=false&consumeServiceTicke
t=false
2021-05-04 07:05:01,917 [INFO   ] Connecting to https://sso.garmin.com/sso/signin?webhost=https%3A%2F%2Fconnect.garmin.com&locale=en_US&rememberMeShown=true&generateNoServiceTicket=false&id=gauth-widget&service=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&connectLegalTerms=true&redirectAfterAccountCreationUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&displayNameShown=false&redirectAfterAccountLoginUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&source=https%3A%2F%2Fconnect.garmin.com%2Fen-US%2Fsignin&rememberMeChecked=false&generateExtraServiceTicket=true&openCreateAccount=false&showPassword=true&createAccountShown=true&embedWidget=false&initialFocus=true&gauthHost=https%3A%2F%2Fsso.garmin.com%2Fsso&globalOptInChecked=false&cssUrl=https%3A%2F%2Fstatic.garmincdn.com%2Fcom.garmin.connect%2Fui%2Fcss%2Fgauth-custom-v1.2-min.css&locationPromptShown=true&globalOptInShown=true&mobile=false&clientId=GarminConnect&generateTwoExtraServiceTickets=false&consumeServiceTicket=false
2021-05-04 07:05:02,846 [DEBUG  ] Got 200 in 0.928194999695 s from https://sso.garmin.com/sso/signin?webhost=https%3A%2F%2Fconnect.garmin.com&locale=en_US&rememberMeShown=true&generateNoServiceTicket=false&id=gauth-widget&service=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&connectLegalTerms=true&redirectAfterAccountCreationUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&displayNameShown=false&redirectAfterAccountLoginUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&source=https%3A%2F%2Fconnect.garmin.com%2Fen-US%2Fsignin&rememberMeChecked=false&generateExtraServiceTicket=true&openCreateAccount=false&showPassword=true&createAccountShown=true&embedWidget=false&initialFocus=true&gauthHost=https%3A%2F%2Fsso.garmin.com%2Fsso&globalOptInChecked=false&cssUrl=https%3A%2F%2Fstatic.garmincdn.com%2Fcom.garmin.connect%2Fui%2Fcss%2Fgauth-custom-v1.2-min.css&locationPromptShown=true&globalOptInShown=true&mobile=false&clientId=GarminConnect&generateTwoExtraServiceTickets=false&consumeServiceTicket=false
2021-05-04 07:05:02,980 [DEBUG  ] Cookie __cfduid : REDACTED
2021-05-04 07:05:02,981 [DEBUG  ] Cookie __VCAP_ID__ : REDACTED
2021-05-04 07:05:02,981 [DEBUG  ] Cookie __cflb : REDACTED
2021-05-04 07:05:02,981 [DEBUG  ] Cookie org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE : en_US
2021-05-04 07:05:02,982 [DEBUG  ] Cookie SESSION : REDACTED
2021-05-04 07:05:04,438 [DEBUG  ] Got 200 in 1.45574402809 s from https://sso.garmin.com/sso/signin?webhost=https%3A%2F%2Fconnect.garmin.com&locale=en_US&rememberMeShown=true&generateNoServiceTicket=false&id=gauth-widget&service=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&connectLegalTerms=true&redirectAfterAccountCreationUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&displayNameShown=false&redirectAfterAccountLoginUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&source=https%3A%2F%2Fconnect.garmin.com%2Fen-US%2Fsignin&rememberMeChecked=false&generateExtraServiceTicket=true&openCreateAccount=false&showPassword=true&createAccountShown=true&embedWidget=false&initialFocus=true&gauthHost=https%3A%2F%2Fsso.garmin.com%2Fsso&globalOptInChecked=false&cssUrl=https%3A%2F%2Fstatic.garmincdn.com%2Fcom.garmin.connect%2Fui%2Fcss%2Fgauth-custom-v1.2-min.css&locationPromptShown=true&globalOptInShown=true&mobile=false&clientId=GarminConnect&generateTwoExtraServiceTickets=false&consumeServiceTicket=false#
2021-05-04 07:05:04,567 [DEBUG  ] Cookie __cfduid : REDACTED
2021-05-04 07:05:04,567 [DEBUG  ] Cookie __cfruid : REDACTED
2021-05-04 07:05:04,567 [DEBUG  ] Cookie __VCAP_ID__ : REDACTED
2021-05-04 07:05:04,568 [DEBUG  ] Cookie __cflb : REDACTED
2021-05-04 07:05:04,568 [DEBUG  ] Cookie org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE : en_US
2021-05-04 07:05:04,568 [DEBUG  ] Cookie SESSION : REDACTED
2021-05-04 08:05:01,436 [INFO   ] Starting gcexport.py version 3.0.3, using Python version 2.7.16
[.. next round an hour later ..]

I used to run python gcexport.py -v -d /srv/sync/mk/garmin/ -u -f original --password REDACTED --username REDACTED -c 15 --desc to sync my activities on Debian stable.

[pe-st]

I think the issue is linked to the Python version (see #64)

@octomike I see you're using Python 2.7.16. It might not be trivial with Debian, but there sure is a way to have Python 3.x somehow? (Version 2.7 isn't maintained anymore)

[octomike]

Ah, true! In fact it's very trivial to switch to python3 in Debian - it's just that the default python still links to 2.x for compatibility reasons I guess.

I'm going to be brave here and switch on my hourly cron job again (with py3) - risking a lock-out. Will report back if I encounter any issues :)

[octomike]

Hourly cron jobs worked fine, no lock-out to report.

I'm considering this closed. Thanks a lot!

[octomike]

It happened again this morning - my Garmin account is locked again :(

This is the log from today (only one sync was tried):

2021-07-14 08:05:01,448 [INFO   ] Starting gcexport.py version 3.1.0, using Python version 3.7.3
2021-07-14 08:05:01,453 [INFO   ] New logfile level: DEBUG
2021-07-14 08:05:01,453 [DEBUG  ] New console log level: INFO
2021-07-14 08:05:01,453 [WARNING] Output directory /srv/sync/mk/garmin/ already exists. Will skip already-downloaded files and append to the CSV file.
2021-07-14 08:05:01,454 [DEBUG  ] Login params: service=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&webhost=https%3A%2F%2Fconnect.garmin.com&source=https%3A%2F%2Fconnect.garmin.com%2Fen-US%2Fsignin&redirectAfterAccountLoginUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&redirectAfterAccountCreationUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&gauthHost=https%3A%2F%2Fsso.garmin.com%2Fsso&locale=en_US&id=gauth-widget&cssUrl=https%3A%2F%2Fstatic.garmincdn.com%2Fcom.garmin.connect%2Fui%2Fcss%2Fgauth-custom-v1.2-min.css&clientId=GarminConnect&rememberMeShown=true&rememberMeChecked=false&createAccountShown=true&openCreateAccount=false&displayNameShown=false&consumeServiceTicket=false&initialFocus=true&embedWidget=false&generateExtraServiceTicket=true&generateTwoExtraServiceTickets=false&generateNoServiceTicket=false&globalOptInShown=true&globalOptInChecked=false&mobile=false&connectLegalTerms=true&locationPromptShown=true&showPassword=true
2021-07-14 08:05:01,454 [INFO   ] Connecting to https://sso.garmin.com/sso/signin?service=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&webhost=https%3A%2F%2Fconnect.garmin.com&source=https%3A%2F%2Fconnect.garmin.com%2Fen-US%2Fsignin&redirectAfterAccountLoginUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&redirectAfterAccountCreationUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&gauthHost=https%3A%2F%2Fsso.garmin.com%2Fsso&locale=en_US&id=gauth-widget&cssUrl=https%3A%2F%2Fstatic.garmincdn.com%2Fcom.garmin.connect%2Fui%2Fcss%2Fgauth-custom-v1.2-min.css&clientId=GarminConnect&rememberMeShown=true&rememberMeChecked=false&createAccountShown=true&openCreateAccount=false&displayNameShown=false&consumeServiceTicket=false&initialFocus=true&embedWidget=false&generateExtraServiceTicket=true&generateTwoExtraServiceTickets=false&generateNoServiceTicket=false&globalOptInShown=true&globalOptInChecked=false&mobile=false&connectLegalTerms=true&locationPromptShown=true&showPassword=true
2021-07-14 08:05:01,820 [DEBUG  ] Got 200 in 0.36526102502830327 s from https://sso.garmin.com/sso/signin?service=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&webhost=https%3A%2F%2Fconnect.garmin.com&source=https%3A%2F%2Fconnect.garmin.com%2Fen-US%2Fsignin&redirectAfterAccountLoginUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&redirectAfterAccountCreationUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&gauthHost=https%3A%2F%2Fsso.garmin.com%2Fsso&locale=en_US&id=gauth-widget&cssUrl=https%3A%2F%2Fstatic.garmincdn.com%2Fcom.garmin.connect%2Fui%2Fcss%2Fgauth-custom-v1.2-min.css&clientId=GarminConnect&rememberMeShown=true&rememberMeChecked=false&createAccountShown=true&openCreateAccount=false&displayNameShown=false&consumeServiceTicket=false&initialFocus=true&embedWidget=false&generateExtraServiceTicket=true&generateTwoExtraServiceTickets=false&generateNoServiceTicket=false&globalOptInShown=true&globalOptInChecked=false&mobile=false&connectLegalTerms=true&locationPromptShown=true&showPassword=true
2021-07-14 08:05:01,822 [DEBUG  ] Cookie __VCAP_ID__ : REDACTED
2021-07-14 08:05:01,823 [DEBUG  ] Cookie __cflb : REDACTED
2021-07-14 08:05:01,823 [DEBUG  ] Cookie org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE : en_US
2021-07-14 08:05:01,823 [DEBUG  ] Cookie SESSION : REDACTED
2021-07-14 08:05:02,789 [DEBUG  ] Got 200 in 0.9650902689900249 s from https://sso.garmin.com/sso/signin?service=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&webhost=https%3A%2F%2Fconnect.garmin.com&source=https%3A%2F%2Fconnect.garmin.com%2Fen-US%2Fsignin&redirectAfterAccountLoginUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&redirectAfterAccountCreationUrl=https%3A%2F%2Fconnect.garmin.com%2Fmodern%2F&gauthHost=https%3A%2F%2Fsso.garmin.com%2Fsso&locale=en_US&id=gauth-widget&cssUrl=https%3A%2F%2Fstatic.garmincdn.com%2Fcom.garmin.connect%2Fui%2Fcss%2Fgauth-custom-v1.2-min.css&clientId=GarminConnect&rememberMeShown=true&rememberMeChecked=false&createAccountShown=true&openCreateAccount=false&displayNameShown=false&consumeServiceTicket=false&initialFocus=true&embedWidget=false&generateExtraServiceTicket=true&generateTwoExtraServiceTickets=false&generateNoServiceTicket=false&globalOptInShown=true&globalOptInChecked=false&mobile=false&connectLegalTerms=true&locationPromptShown=true&showPassword=true#
2021-07-14 08:05:02,791 [DEBUG  ] Cookie __cfruid : REDACTED
2021-07-14 08:05:02,792 [DEBUG  ] Cookie __VCAP_ID__ : REDACTED
2021-07-14 08:05:02,792 [DEBUG  ] Cookie __cflb : REDACTED
2021-07-14 08:05:02,792 [DEBUG  ] Cookie org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE : en_US
2021-07-14 08:05:02,792 [DEBUG  ] Cookie SESSION : REDACTED

[pe-st]

Strangely the two HTTP requests visible in the log get 200, meaning they were successful, so I can't see in the logs any error. How did the lock manifest itself? Did the script stop working?

BTW: Python 3.7.3 is from 2019-03-25, is there no newer Python 3 for Debian?

[octomike]

How did the lock manifest itself?

Two effects:

1. I get an e-mail with password reset instructions (as though I had clicked "I forgot my password")
2. Login on sso/connect.garmin.com doesn't work anymore

BTW: Python 3.7.3 is from 2019-03-25, is there no newer Python 3 for Debian?

Yes, that's intended behavior in Debian. It is not a rolling release distribution and throughout the lifetime of a release (2 years usually) all packages stay API stable, a fundamental strength in Debian imho.
You can find the detailed Changelog of the python 3.7 package here if you are interested: https://metadata.ftp-master.debian.org/changelogs//main/p/python3.7/python3.7_3.7.3-2+deb10u3_changelog

[jaant]

happens to me as well: every 1-3 weeks garmin blocks my bot by pretending that i requested password change. furthermore, every new sso request after that results in another phantom password change request, so they keep sending the "here's your new password" emails until i log in manually. looks like some anti-bot measure on garmin side that would be great to reverse-engineer.

[octomike]

Haven't had an issue / lockout with this for quite a while now. Closing

[jaant]

FWIW, still happens here

[octomike]

Didn't mean to shut you out, sorry.. you're welcome to reopen.

Out of curiosity: How often are you exporting? I'm syncing once an hour between 8am and 11pm and no lockouts so far

[jaant]

no worries. my bot polls the data 3 times a day. indeed, i should perhaps try polling only once per day and see if that helps.

EDIT: though your polls seem even more frequent than mine. i'm also requesting quite bit of overlapping data to check for retrospective changes -- that could also be a problem.

[octomike]

i'm also requesting quite bit of overlapping data to check for retrospective changes -- that could also be a problem.

True, it could fire after a certain amount of requests.

This is what I'm calling every hour:

python3 gcexport.py  -v -d PATH  -u -f original --password PASS --username USER  -c 10 --desc

[jaant]

thanks. i'm not using the script verbatim, actually, just similar sequence of requests against garmin services. so one very plausible explanation is that i'm doing something subtly differently (in addition to different request parameters). will investigate when i get a chance (needing to manually log in every 2 weeks isn't a major inconvenience though, so i might not get around to it).