British Company Forced to Change Name as It Could Be Used for Cross Site Scripting Hack

Entrepreneurs come up with some weird company names at times. Some have deep meaning while some are just quirky. But in the U.K., the Companies House, the country's registrar of businesses, has forced one to change the name, not because it was vulgar but due to potential cybersecurity risk.

The company, a consulting business that was set up by a British software engineer, was originally named " " > LTD". The director of the company thought it was a "fun playful name" but the problem was that it made the Companies House vulnerable to cyberattacks. He realized that by using the cross-site scripting technique, a hacker could run a code from a different website the attack the House. Thus, the name was changed to another odd name "THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD".

The U.K. Companies House forced the company to change the name as it posed a potential security risk (representational image) Pixabay

Everything in the Name

If you thought what's in a name, in this case, everything. The founder began the name of the company with a quotation mark followed by chevron. If any site fails to handle the HTML code, it could mistake the company name as blank. Then, it will load and execute an XSS Hunter script to find the cross-site scripting error. Characters such as '>' and " are easily available to use for company name prompting him to believe that the Companies House already had some sort of security measures to prevent a cyberattack. As for hackers, they could then easily exploit the weakness as a gateway for a cross-site scripting attack.

It didn't take time for the founder/ director of the company to recognize the potential security flaw and he contacted the Companies House and the National Cyber Security Centre. He was then forced to change the name. In the name change documents, Companies House removed the original name and replaced it with "Company name available on request".

"Government Digital Service (GDS) has a good reputation for security, and other companies with similarly playful names have been registered in the past, so I thought there probably wouldn't be a problem. When I discovered there were some minor problems, I contacted Companies House and the National Cyber Security Centre immediately, and didn't disclose the issue to anyone else," the director of the company told the Guardian. He didn't want to be named.

Cyber attack
Hackers could exploit the name of the company as it contained an HTML script to hack another website (representational image) Pixabay

Weird Names Not New

While this name particularly had a problem, Companies House had previously allowed names such as " ; DROP TABLE " COMPANIES " ; -- LTD" which could be used for a SQL injection attack. The name was inspired by a popular XKCD webcomic. There were also company names such as > LTD. But it didn't pose a cybersecurity risk. This is the first time that Companies House has forced a company to change its name due to security risk.

A spokesperson of Companies House said that they were confident that the name wasn't exploited and services remained secure. "A company was registered using characters that could have presented a security risk to a small number of our customers if published on unprotected external websites. We have taken immediate steps to mitigate this risk and have put measures in place to prevent a similar occurrence. We are confident that Companies House services remain secure," the statement said.

Related topics : Cybersecurity