[LINK] Company forced to change name that could be used to hack websites

Kim Holburn kim at holburn.net
Sat Nov 7 10:42:53 AEDT 2020


> Companies House has forced a company to change its name after it belatedly realised it could pose a security risk.
> The company now legally known as “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD” was set up by a British software 
> engineer, who says he did it purely because he thought it would be “a fun playful name” for his consulting business.
> He now says he didn’t realise that Companies House was actually vulnerable to the extremely simple technique he used, known as 
> “cross-site scripting”, which allows an attacker to run code from one website on another.
> The original name of the company was
> ““><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD”. By beginning the name
> with a quotation mark and chevron, any site which failed to properly
> handle the HTML code would have mistakenly thought the company name was
> blank, and then loaded and executed a script from the site XSS Hunter,
> which helps developers find cross-site scripting errors.
> That script would have simply put up a harmless alert – but it serves as proof that a malicious attacker could instead have used 
> the same weakness as a gateway to more damaging ends.
> Similar names have been registered in the past, such as “; DROP TABLE “COMPANIES”;-- LTD”,
> a wry attempt <https://pizzey.me/blog/no-i-didnt-try-to-break-companies-house/> to carry out an attack known as SQL injection, 
> inspired by a famous XKCD webcomic <https://xkcd.com/327/>, but this was the first such name to have prompted a response. 
> Companies House has retroactively removed the original name from its data feeds, and all documentation referring to its original 
> moniker now reads simply “Company name available on request”.

Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list