A case where a company named “][SCRIPT SRC=HTTPS://MJT.XSS.HT] LTD” was forced to change its name
A software development company that used an HTML script tag in its company name has been forced to change its name by the Registrar of Companies, because the name 'leads to database vulnerabilities.'
Company forced to change name that could be used to hack websites | UK news | The Guardian
UK govt aims to kill off Bobby Tables in Companies House name rules
https://www.thestack.technology/companies-house-names-rules-drop-table/
Company named '][SCRIPT SRC=HTTPS://MJT.XSS.HT] LTD' forced to change it (2020) | Hacker News
https://news.ycombinator.com/item?id=41948666
According to a news report in November 2020 by the British daily newspaper The Guardian, the company in question was a development company founded by a British software engineer and had the name “][SCRIPT SRC=HTTPS://MJT.XSS.HT] LTD” (all symbols are originally half-width).
However, if a website with poor security measures did not handle the company name properly, it could recognize the company name as blank and allow unintended scripts to be executed.
When registering a company in the UK, Companies House is required to display the exact name provided, provided it falls within existing rules. Companies House's naming rules covered imitations and offensive language, but not attempts to falsify data entries.
In the UK, a company was registered in 2016 under the name ';DROP TABLE 'COMPANIES';-- LTD', based on a web comic . Founder Sam Pizzey said, 'The commands that make up the company name contain intentional mistakes. We didn't intend to raise any major issues with the company name, we just wanted to use the knowledge of security professionals to get a laugh.' The company name has not been changed and is still in use as of the time of writing.
The founder of “][SCRIPT SRC=HTTPS://MJT.XSS.HT] LTD” said he chose the name because he thought it would be a fun and playful name for a consulting business. However, malicious attackers could use the same technique to launch a more serious attack called “ cross-site scripting .”
Therefore, the Registrar of Companies ordered the company name to be removed from the database and changed. The founders of “][SCRIPT SRC=HTTPS://MJT.XSS.HT] LTD” accepted the order and changed their name to “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD”. At the same time, the old company name was thoroughly removed from the Registrar of Companies’ database.
THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD overview - Find and update company information - GOV.UK
https://find-and-update.company-information.service.gov.uk/company/12956509/
The UK government then introduced the Economic Crime and Corporate Transparency Bill in 2022, which changed the naming rules of the Companies House. Company names that involve falsifying data entries are now also subject to restrictions, making it impossible to register similar company names.
Hacker News has discussed the issue in a number of ways, including, ' What about company names that affect AI prompts? ' and 'All things considered, it makes sense to restrict these names. Unless you're planning on paying to audit every data user in the world, this is the more practical solution. It's unclear what you'd gain from having code in your company name. ' At the same time, similar cases have been introduced, such as, ' There are cases where someone has attached script code to license plates to incorporate SQL injection into speed cameras ,' ' My daughter was born in Hawaii, and since Hawaiian birth certificates allow up to 240 characters in names, I made her middle name the periodic table, ' and ' I once set my username on an auction site to script code, preventing anyone else from bidding on the auctions I bid on. I won a lot of auctions, but then my account was wiped .'
Related Posts:
in Note, Software, Web Service, Posted by log1i_yk