All the latest UK technology news, reviews and analysis

Tesco accused of inadequate website and password security

30 Jul 2012

UK retail giant Tesco has been accused of overlooking basic security measures in its online service that is leaving millions of shoppers at risk from hackers.

According to Troy Hunt, a security professional based in Australia and a Microsoft Most Valuable Professional (MVP), Tesco's website allows shoppers' sessions to be hijacked by a failure to implement website security during a user's session.

Further correspondence between Hunt and a Tesco customer services representative also suggested that the retailer did not adequately protect users' passwords.

"Tesco continually overstate their security prowess whilst clearly under-delivering in their execution," Hunt said in a blog post.

Hunt was alerted to a potential issue via Twitter, so set about evaluating Tesco's security via an account he'd set up while living in the UK at the turn of the millennium.

Hunt was able to revive his dormant Tesco account by asking for an emailed password reminder. When the email arrived, he was aghast to see it contained his actual password.

“Clearly the passwords aren’t hashed at all let alone salted. At best they’re encrypted,” he wrote on his blog.

He soon found that although the site logged him in using secure socket layer security, he quickly moved from seeing pages delivered via HTTPS to plain old HTTP.

“HTTP is stateless so the only (practical) way a state such as being logged in can be persisted is by passing cookies backwards and forwards between the browser and the website,” Hunt said.

“And because they’re being sent over an HTTP connection, anyone who can watch the traffic can see those same cookies. And copy them. And hijack your session.”

Further digging suggested that Tesco was running on IIS 6, a seven-year-old web server and running the nine-year-old ASP.NET 1.1.

“The security landscape has changed significantly since these technologies where launched and ongoing improvements in newer generations of the breed make continued progress in ensuring a more secure app by default,” Hunt said.

Having drawn up a list of issues, Hunt approached Tesco about his concerns; a customer service representative tweeted back:

A further tweet elaborated on those security practices:

"There’s probably a lesson in there somewhere about not letting your Customer Care folks make technical statements via social media," Hunt said.

Tesco had not responded to V3's request for comment at the time of publication. 

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?

Popular Threads

Powered by Disqus
Sony Xperia Z2 Tablet powered by Android KitKat 4.4

Sony Xperia Z2 Tablet video

We take a look at the lightweight, waterproof tablet

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery


iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Software Development Engineer

Develop: Customise: Configure. Maximise your technical...

1st line Helpdesk Analyst

Boston Hale's Client require a 1st line Helpdesk Analyst...

Java Developer - Operations

We have a great opportunity for a Java Developer to...

Java Developer

Extreme Live Gaming Ltd , a dynamic and cutting edge...
To send to more than one email address, simply separate each address with a comma.