The UK business registrar Companies House has forced a software consultant to change its name after discovering it could lead to cross-site scripting attacks.
The British software engineer had kept his company’s name ““><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD”. The name could have led to vulnerable websites to execute a script from the site XSS Hunter, which allows devs to discover cross-site scripting errors. It would have affected websites that don’t handle the HTML Code properly and could have mistaken them as blank in the company name section.
“A company was registered using characters that could have presented a security risk to a small number of our customers, if published on unprotected external websites. We have taken immediate steps to mitigate this risk and have put measures in place to prevent a similar occurrence. We are confident that Companies House services remain secure,” a Companies House spokesperson is quoted as saying.
Following the directive, the consultant has renamed his company to “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD”. The consultant said he kept the older name thinking it would be a “fun and playful name.”
According to The Guardian, many companies have kept such code-based names. Some companies which are guilty of such names are “; DROP TABLE “COMPANIES”;– LTD”, which is said to be inspired by a popular XKCD webcomic. Unlike the previous occasions, it is the first time to elicit a response from the authorities.
As Engadget points out, it is weird that a simple code-based name could cause so much of a problem to a large number of websites. At the same time, it also highlights how fragile the digital space is right now.
