UK retail giant Tesco has been accused of overlooking basic security measures in its online service that is leaving millions of shoppers at risk from hackers.
According to Troy Hunt, a security professional based in Australia and a Microsoft Most Valuable Professional (MVP), Tesco's website allows shoppers' sessions to be hijacked by a failure to implement website security during a user's session.
Further correspondence between Hunt and a Tesco customer services representative also suggested that the retailer did not adequately protect users' passwords.
"Tesco continually overstate their security prowess whilst clearly under-delivering in their execution," Hunt said in a blog post.
Hunt was alerted to a potential issue via Twitter, so set about evaluating Tesco's security via an account he'd set up while living in the UK at the turn of the millennium.
Hunt was able to revive his dormant Tesco account by asking for an emailed password reminder. When the email arrived, he was aghast to see it contained his actual password.
“Clearly the passwords aren’t hashed at all let alone salted. At best they’re encrypted,” he wrote on his blog.
He soon found that although the site logged him in using secure socket layer security, he quickly moved from seeing pages delivered via HTTPS to plain old HTTP.
“HTTP is stateless so the only (practical) way a state such as being logged in can be persisted is by passing cookies backwards and forwards between the browser and the website,” Hunt said.
“And because they’re being sent over an HTTP connection, anyone who can watch the traffic can see those same cookies. And copy them. And hijack your session.”
Further digging suggested that Tesco was running on IIS 6, a seven-year-old web server and running the nine-year-old ASP.NET 1.1.
“The security landscape has changed significantly since these technologies where launched and ongoing improvements in newer generations of the breed make continued progress in ensuring a more secure app by default,” Hunt said.
Having drawn up a list of issues, Hunt approached Tesco about his concerns; a customer service representative tweeted back:
@troyhunt Let me assure you that all customer passwords are stored securely & in line with industry standards across online retailers.— Tesco Customer Care (@UKTesco) July 29, 2012
A further tweet elaborated on those security practices:
@troyhunt Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.— Tesco Customer Care (@UKTesco) July 29, 2012
"There’s probably a lesson in there somewhere about not letting your Customer Care folks make technical statements via social media," Hunt said.
Tesco had not responded to V3's request for comment at the time of publication.