4

So a few months ago I started having this issue where when I would try to access some websites I would randomly get an access denied page. I didn't think much about it at first and just continued on with my life. Fast forward to now. I tried to sign up for a March Madness bracket and got blocked. I can't check out at Kohls or other online shopping websites. I can't get greyhound or amtrack tickets. I can't access my bank account. Essentially, it is becoming a little more inconvenient.

After trying random things, I tried spelling my last name (Fread) differently. I put in Frea instead, without the "d" on the end. Magically, things would work again. After talking to some friends, they helped me troubleshoot and we learned that Fread is a php command fread and we realized that if we typed in other php commands, i.e. fwrite, we would also get an access denied page.

Problem solved, except not really. I have no idea how to fix this issue. I don't even know who to talk to or contact from the numerous websites that block me. My bank has been working on the issue for 2 months now and hasn't updated me in 2 weeks on what they are doing to fix the problem.

Unfortunately for me, I can't use my credit card with a mispelled last name and still can't log into my bank account because fread is part of my username. I would appreciate any feedback that would help me to get back the ability to use my last name on these websites again!!

Who do I contact? How do get people to care enough to fix it? Why? Thoughts to help?

Just so everyone can see I am not lying, here is an example website where it happens. This walkthrough will link you to the footlocker website for creating an account. Once there, ALL you have to enter is Fread in the last name field and hit submit. Bam! Access denied. Go back and change it to Fwrite and hit submit. Bam! Access denied. Go ahead and put your name in now, or any non-php command. Now it works and there is no access denied.

  1. Go to: https://www.footlocker.com/account/?action=accountCreate
  2. In last name field: Fread (no need to fill in ANY other fields)
  3. Hit continue
  4. Access denied
  5. Repeat with different php commands and you will get access denied
  6. Repeat with non-php command and you will not get access denied

Please help!

*****note: I tried this on different IP addresses, different computers, different OS, had my friend try in a different town altogether and the error happens everywhere. Also happens to my family with the same last name.

K. F.
  • 51
  • 1
  • 5
  • 2
    That's a great last name for websites. I wouldn't use any website that gives you an error when you type `fread` into any input. That's seriously bad. – Scopey May 03 '16 at 04:51
  • It happens for so many websites it is hard to avoid them. My sis got access denied applying for her government job. My bank does it too...what are the dangers of using these websites? – K. F. May 03 '16 at 05:04
  • It might be time for a new last name... – Clint May 03 '16 at 05:13
  • Unfortunately this problem is more widespread than some people realize. [Mr. Null isn't happy about it either](http://www.wired.com/2015/11/null/). Particularly with regard to security, large corporate websites really should be keeping up with current best practices. – NanoWizard May 05 '16 at 19:18

3 Answers3

3

Full disclosure: I'm one of the people who tested and verified this error for Ms. Fread.

Given how suddenly this issue appeared and how widespread the issue is, it's clearly not just a negligent developer at a company or two, and it's clearly not just old websites. If the likes of the IRS, your bank, Amtrak, Greyhound, Footlocker, and other major companies all started failing for you at roughly the same time, it must be related to shared code that got updated, which is tough to trace. However...

I caught the bug!

Unexpectedly, I encountered the same type of error when doing some of my own for-fun web development. I was trying to POST the string "Test event; description will go here", and receiving a 403 error. After some hair-tearing and trial-and-error, it turned out the semicolon was the culprit, and upon removing it, the POST worked.

Obviously, not every instance of a semicolon is a threat to a server, so I found that rule more than a little silly. That then jogged my memory about this issue, so I tried submitting the same string (minus the semicolon) with "fread" on the end. Lo and behold, the 403 was back.

Cross-Site Scripting (XSS)

On poorly-secured websites, a hacker can inject code into input fields so the server will run code instead of storing data. This is called cross-site scripting, or XSS. Naturally, webmasters and web developers want to prevent this from being possible.

In this case, it seems like the server saw something that looked like a command (which made it suspect an XSS attempt) and panicked. In my case, it saw a semicolon, which is a command terminator. In yours, it saw what it thought was the file-read command. In both cases, the server decided that we were "threats" and opted to deny us access to the resource we requested via a 403 error.

ModSecurity

The culprit appears to be ModSecurity, a module for Apache and other web servers which (among many other things) screens POST inputs for suspected XSS attacks. When I disabled it on my site, I was able to POST whatever I wanted just fine, as (I feel) I should be.

ModSecurity was updated to version 2.9.1 on March 9th, 2016, with relatively stable release candidates before then which may have been in narrow use, so the timing works out. It's in pretty wide use today, so it's likely that Amtrak/Greyhound/Footlocker all use this module, given the similarity and timing of the issue.

In Conclusion:

The good news: I'm 90% sure it's ModSecurity, and they're likely the best single point of contact for this issue. You could consider posting an issue to their GitHub page, or contacting a developer or two directly with questions.

The bad news: They may still consider you a fringe case. Also, the actual end-product fix may come down to the individual sites' admins deciding to update their stuff if/when ModSecurity publishes an update. But it's certainly still worth talking to the development team as a starting point.

Good luck!!

Community
  • 1
  • 1
Kevin
  • 81
  • 3
0

That's really unfortunate and all I can suggest is contacting the technical department of whichever site you're trying to access. It shouldn't be too difficult for them to realize how big of a mistake they're making by trying to filter names like that. If they don't agree, you might be better off not trusting them with your information anyway...

Duncan Fairley
  • 65
  • 10
  • I see your point but it also happens when I try to request my credit report from the trusted website for that...it also happened to my dad when he was requesting tax papers I think from the IRS website itself. I don't care too much about amtrack, greyhound, shopping websites, etc. but I don't know how to fix the problems with websites that actually matter....also my bank doesn't seem to know where to find the underlying code causing the problem and I think they are going to give up soon. Where can you contact the technical department of websites normally? How do I find people that can fix it? – K. F. May 03 '16 at 05:06
  • @K.F. Personally I'd go to LinkedIn and (politely) spam all the developers I could find at the company. I'd certainly be interested to hear your story and figure out how to solve it. – Kyle Hale May 03 '16 at 05:19
0

So sorry to hear that.. websites with these kinds of bugs are often dated ones, they do this for security reasons..

You may try to use these instead (only for unimportant websites, not for credit card etc), copy and paste from below to see whether it works

Frеad (е is the math symbol here)

Freаd (а is a russian character)

F r e a d (adding spaces between characters)

_Fread (prefix with underscore)

Fread (Make first character a wide character)

If none of the above works, you should contact the administrator.

Technically speaking, they are able to set your account's last name to Fread directly in the database, bypassing the PHP check. But these people are often very hard to reach I know.

The good news is that modern websites seldom have this kind of problems, I believe the websites with these problems will be updated in the near future.

Kevin
  • 2,775
  • 4
  • 16
  • 27