The company had to change the dangerous name for sites as it could provoke an XSS attack

The name of the some company turned out to be dangerous for sites that cannot properly process HTML and could provoke an XSS attack.

In the past, some organizations have used lines of code for fun, but at least one of them had to change it.

According to The Guardian, UK Companies House forced one of the consulting companies to change its name after it became known that it can be used to carry out XSS attacks on vulnerable pages, including the Companies House itself.

A company was registered using characters that could have presented a security risk to a small number of our customers if published on unprotected external websites. We have taken immediate steps to mitigate this risk and have put measures in place to prevent a similar occurrence.а Companies House spokesperson said.

As it turned out, just by mentioning the name of the company, the website of the regulator could inadvertently compromise itself. Overall it was not a convenient situation for a government agency that initially approved the problematic name.

It is about the name: which is dangerous for sites that are not able to handle HTML formatting properly. Such sites may decide that the company name field is empty and run the script from the XSS Hunter site.

This script is quite harmless and simply displays a warning, but Companies House thought it was enough to oblige the company to change its name.

It is now called “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD”. According to the representatives of the Registration Chamber, they have taken measures to prevent the occurrence of similar situations in the future.

However, this is not the first such precedent.

Similar names have been registered in the past, such as “; DROP TABLE “COMPANIES”;– LTD”, a wry attempt to carry out an attack known as SQL injection, inspired by a famous XKCD webcomic, but this was the first such name to have prompted a response. Companies House has retroactively removed the original name from its data feeds, and all documentation referring to its original moniker now reads simply “Company name available on request.writes the Guardian.

It’s funny to see how a comic name with code elements can cause an avalanche of problems. However, this situation is also an example of how fragile Internet security can be.

If you can wreak havoc with just a fancy name, then site owners have a lot of work to do before they can be sure they are safe.

Let me remind you of another curious case in the field of information security: For eight years, the Cereals botnet existed for only one purpose: it downloaded anime.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *