Companies have jokingly given themselves code-based names in the past (you can thank XKCD for that), but one of them was just forced to mend its ways. The Guardian reports that UK business registrar Companies House has forced a software consultant to change his company name after discovering that it could launch cross-site scripting attacks against vulnerable pages — yes, including Companies House. A site could have inadvertently compromised itself just by mentioning the company, which could be more than a little embarrassing for officials who greenlit the name.
The initial name, ““><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD,” risked confusing sites that didn’t handle the HTML formatting properly. They would think the company name was blank and run a script from the troubleshooting site XSS Hunter. It’s an innocuous script that would simply have put up a warning, but Companies House wasn’t willing to take any chances. The name might have “presented a security risk” to some sites, a spokesperson said.
The consultant has since changed his business name to “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD.” Companies House, meanwhile, said it had “put measures in place” to prevent a repeat. You won’t be trying this yourself, at least not in the UK.
It’s more than a little amusing to see a for-the-laughs code name stir up trouble, but this also illustrates just how fragile web security can be. If a clever name can wreak havoc, there’s a lot of work to be done before site owners can say they’ve nailed security.