Security News > 2020 > October > Why, yes, you can register an XSS attack as a UK company name. How do we know that? Someone actually did it

"> LTD. Its name didn't contain the square brackets, meaning anyone reading company names off the Companies House API would potentially run a script from the web address above.

Although whoever registered the company seems to have had non-hostile intentions - xss.

A Companies House spokesman told The Register: "A company was registered using characters that could have presented a security risk to a limited number of our customers, if published on unprotected external websites.

Indeed Companies House is secure: company number 12956509 is now called "THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD". ®. Bootnotes. Drop Table Companies Ltd was a practical joke by tech bod Sam Pizzey, who blogged about it at the time. He wrote:"The company name is a bit of hacker sleight-of-hand... or as some astute people have put it, it's 'wrong'.

Multiple people also registered Openreach Ltd over the years until BT woke up and registered the company name itself.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/10/30/companies_house_xss_silliness/