Tesco has promised to fix security problems on its website, following complaints from customers and plenty of pressure from the security community and TechWeekEurope.
The supermarket had kept quiet when Tesco security practices came under fire from researcher Troy Hunt, who pointed out various problems on Tesco.com. Hunt found the company was emailing passwords in plain text, without hashing or salting them. It was also claimed no encryption was used to protect passwords.
Two separate reports from TechWeekEurope confirmed an XSS vulnerability and an SQL injection flaw on the Tesco.com website, but after reporting the issues to Tesco, there was initially no response. Both flaws could have let hackers steal login credentials of users.
Today, Tesco, which said it still believes its current security was “robust”, would not go into detail on which of the myriad security problems were being addressed but promised customers would see changes soon.
“We review our systems on a regular basis and look to update them if necessary. Following feedback from some of our customers, we will be updating the measures we already have place in the coming weeks,” a spokesperson from Tesco told TechWeekEurope
Despite the ICO’s interest in the case, Tesco said it had not yet had any contact from the watchdog. “We would of course cooperate fully with any requests they may have,” the supermarket giant said.
“What’s important is that customers have the confidence to shop with us online,” a spokesperson added.
Hunt said it was now up to the firm to prove it is serious about security, saying it was critical Tesco first focus on patching the XSS and SQL injection vulnerabilities, and address the password protection, or lack thereof. There were other issues with the Tesco.com site, including mixed HTTPS, where the SSL protection appeared to be dropped once a customer was logged in.
The supermarket chain has also been using using out-of-date server software, running Microsoft’s seven year-old IIS 6.
“We know they can talk, but can they deliver? I do hope they can and it’s not just being said to placate the public,” he said. “Certainly it’s a positive thing if they are indeed taking feedback from customers.
“There have been so many risks pointed out to them, what are they fixing? The password storage? The emailing? The password rules? The lack of HTTPS? The mixed HTTPS? The XSS? The SQL injection? The outdated frameworks?”
The security community, including Hunt and this publication, will be watching over the coming weeks to see what Tesco has changed.
Is your security skill the finest? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
I doubt Tesco's sincerity as it's taken them so long to acknowledge complaints and, even now, do not acknowledge flaws in their software etc. It's pure lip-service. If a consumer does eventually get ripped off by hackers, the consumer will never be able to prove it was Tesco's fault and even if their's a complaint - some free chops will shut them up. well, I shan't be on-line shopping with them until I know they have rectified the situation.
Hi Iain,
We'll have to see what Tesco does. We'll be checking back on the flaws and the password issues next month. Let's hope they fix those three main problems.
Thanks for reading.
Tom Brewster
Deputy Editor