All the latest UK technology news, reviews and analysis

Tesco accused of inadequate website and password security

30 Jul 2012

UK retail giant Tesco has been accused of overlooking basic security measures in its online service that is leaving millions of shoppers at risk from hackers.

According to Troy Hunt, a security professional based in Australia and a Microsoft Most Valuable Professional (MVP), Tesco's website allows shoppers' sessions to be hijacked by a failure to implement website security during a user's session.

Further correspondence between Hunt and a Tesco customer services representative also suggested that the retailer did not adequately protect users' passwords.

"Tesco continually overstate their security prowess whilst clearly under-delivering in their execution," Hunt said in a blog post.

Hunt was alerted to a potential issue via Twitter, so set about evaluating Tesco's security via an account he'd set up while living in the UK at the turn of the millennium.

Hunt was able to revive his dormant Tesco account by asking for an emailed password reminder. When the email arrived, he was aghast to see it contained his actual password.

“Clearly the passwords aren’t hashed at all let alone salted. At best they’re encrypted,” he wrote on his blog.

He soon found that although the site logged him in using secure socket layer security, he quickly moved from seeing pages delivered via HTTPS to plain old HTTP.

“HTTP is stateless so the only (practical) way a state such as being logged in can be persisted is by passing cookies backwards and forwards between the browser and the website,” Hunt said.

“And because they’re being sent over an HTTP connection, anyone who can watch the traffic can see those same cookies. And copy them. And hijack your session.”

Further digging suggested that Tesco was running on IIS 6, a seven-year-old web server and running the nine-year-old ASP.NET 1.1.

“The security landscape has changed significantly since these technologies where launched and ongoing improvements in newer generations of the breed make continued progress in ensuring a more secure app by default,” Hunt said.

Having drawn up a list of issues, Hunt approached Tesco about his concerns; a customer service representative tweeted back:

A further tweet elaborated on those security practices:

"There’s probably a lesson in there somewhere about not letting your Customer Care folks make technical statements via social media," Hunt said.

Tesco had not responded to V3's request for comment at the time of publication. 

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus

Windows 7 end of mainstream support

What are your plans for when Microsoft ends mainstream support for Windows 7 in January 2015?

Popular Threads

Powered by Disqus
LG G3 in gold black and white

LG G3 vs Galaxy S5 video

We pit the two Korean firms' flagship smartphones against each other

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

[Mandarin] Technical Support

The Role We are looking for highly motivated, technically...

Digital Business Analyst / Producer - Award Winning Digital Agency

Digital Business Analyst / Producer - Award Winning Digital...

2nd Line Helpdesk Engineer - Windows - IT Support Consultancy

2nd Line Helpdesk Engineer - Windows - IT & Technology...

Client Account Director - Marketing Insights / Analytics Software

Client Account Director - Marketing Insights / Analytics...
To send to more than one email address, simply separate each address with a comma.