Companies House has blocked someone who registered a new biz with a name that contained the right characters arranged in the right order to trigger a cross-site scripting (XSS) attack against users of the service’s API.
The company in question, registered number 12956509, was originally signed up with the UK’s official company registrar under the name:
">< SCRIPT SRC[=]HTTPS[:]//MJT.XSS.HT> LTD
Its name didn’t contain the square brackets, meaning anyone reading company names off the Companies House API would potentially run a script from the web address above.
A person using the username michaeltandy on the Companies House developer forum later posted: “I had assumed I wouldn’t be the first person to use < and > (they are, after all, both explicitly whitelisted as legal characters) and that 99 per cent of systems would already be escaping them… I would just get a company with a playful name that would elicit a knowing chuckle from the kind of people we’d be doing business with!”
The poster continued: “Once it turned out there were non-trivial problems, and that fact became more widely publicised, we can’t expect every consumer of data to do a full XSS audit in only a few days.”
Although whoever registered the company seems to have had non-hostile intentions – xss.ht is a domain owned by the XSS Hunter service, as explained on its main website – the vulnerability it exposes is not unique.
Such tomfoolery has been carried out in the past, aided by a legal requirement that certain punctuation marks are available for companies to use in their names. Thus was born “; DROP TABLE “COMPANIES”;– LTD” and “SAFDASD & SFSAF ‘ SFDAASF” LTD“, both of which were exploiting the availability of punctuation marks to put commands into the company name field.
Tech lawyer Neil Brown of decoded.legal told The Register: “This is symbolic – if one might excuse the pun – of a regime which considers individual characters in isolation, and not the effect of the combination of those characters.” He explained that while section 53 of the Companies Act 2000 does stop people from registering companies with “offensive” names or names that were a criminal offence to publish, it’s not clear whether that is enough to stop people registering database commands as company names.
“Would using an XSS attack constitute an offence? Even with the state of the Computer Misuse Act 1990, that would be a stretch too far. Is it offensive? I don’t think so, but then I’m not the Secretary of State,” opined Brown, who also pointed out yet another crappy company name.
As for lessons to be drawn from this, Brown wondered if simply advising people to sanitise inputs from official systems was “too dull” for El Reg. We happen to agree but it’s also the sort of common-sense advice someone, somewhere, might actually benefit from. The BBC Bitesize guide to input sanitisation (don’t laugh, we all started somewhere) can be found here.
A Companies House spokesman told The Register: “A company was registered using characters that could have presented a security risk to a limited number of our customers, if published on unprotected external websites. We have taken immediate steps to mitigate this risk.”
He added: “We are confident that Companies House services remain secure.”
And indeed Companies House is secure: company number 12956509 is now called “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD”. ®
Drop Table Companies Ltd (add the necessary script marks at your leisure) was a practical joke by tech bod Sam Pizzey, who blogged about it at the time. He wrote: “The company name is a bit of hacker sleight-of-hand… or as some astute people have put it, it’s ‘wrong’. Of course it’s wrong – I’m not a total arsehole!”
Multiple people also registered Openreach Ltd over the years until BT woke up and registered the company name itself.