Categories: SecurityWorkspace

Tesco Security: Very Little Help!

Two weeks have passed since researcher Troy Hunt slammed poor Tesco security, and TechWeekEurope exclusively revealed an XSS flaw on the retailer’s main website. And despite consistent requests for an update on the situation, Tesco has offered nothing. The vulnerabilities remain, as do the risks to Tesco online customers.

Perhaps the XSS flaw is nothing to be worried about. Perhaps passwords really are adequately protected. But from all the evidence we have, both the website vulnerability and the poor password practices are far from safe. At the very least, Tesco can improve in both areas.

Here is a little recap of what’s wrong with Tesco security. First off, it appears Tesco is sending passwords to users in plain text. That’s not good. If they are being sent in plain text, it means anyone with malicious intent who is able to intercept customers’ emails won’t have to bother with decrypting anything to access that person’s Tesco account. More worryingly, it indicates Tesco isn’t hashing or salting its passwords at all, storing them in plain text. That means there’s a database somewhere that hackers are salivating over.

Head stuck in the sand

Why can’t Tesco speak out on this? Its silence is of serious concern. If companies as big as LinkedIn can say ‘hey, we messed up by not hashing and salting passwords, but we’ll do it from now on’, why can’t Tesco tell us how it is protecting its users’ login details? There is no harm in being transparent here, but, whether because of the siloed nature of Tesco’s business, poor communication or just plain old incompetence, the supermarket giant remains quiet.

It is just as tight-lipped about the XSS vulnerability on the site, which could allow hackers to get hold of user account IDs if they were able to trick a logged-in user into clicking on a link. It might seem like hackers would have a slim chance of finding logged-in users and then duping them, but anyone who ‘gets’ security knows how crafty mischievous Web users can be.

I have disclosed all of the relevant information to Tesco, including details on what the weakness is and how it could be exploited. I was told the information would be passed on to the relevant people. But I have had nothing official in return, other than this canned comment: “We know how important Internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.” Pah!

Hunt told me he “might have actually made some progress with some real technical people” but he was “not expecting miracles”. As expected, the miracles never materialised. Even a typically histrionic piece in the Daily Mail hasn’t made it through Tesco’s impenetrable earmuffs.

What happens now? I can do little more. In an ideal world, Tesco would read this piece, and all the other negative articles about its security practices, and enact immediate change. But, again, that seems rather unlikely, even though both the website vulnerability and the password issues are very simple to rectify. Everything appears to move at a rather glacial pace over there…

Researchers might be able to go further, however. Whereas I am unwilling to make the vulnerability public, others may have a more flexible conscience. If the XSS vulnerability is made known to hackers, they will use it and they will succeed in defrauding Tesco and its customers. That would be tragic – but might at least have the benefit of waking Tesco up from its slumber and forcing it to fix the manifold problems with its IT security.

It would, of course, be preferable for customers to start kicking up more of a fuss. Tesco is fairly active on Twitter, so anyone who does care about keeping their account secure should start venting their frustration on that channel, or over Facebook, or however they wish. The pressure could and should pay off.

Are you security aware? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • Tom, there is something else going on at Tesco: A superiority complex

    Customers to Tesco, are simply: two legged cattle

    If they can shut you up with a template-email then job done.

    Example:
    Make a request to see security camera footage from one of your visits to Tesco. Also ask who else get to see that data and who do they share or sell that data on to. I'm specifically talking about Security Video footage.

    Result:
    They will reply to your requests with:

    - Please send us your Club Card details.

    This is obviously silly. How are Club Card details going to help with security camera footage but this is what I mean by: template-email

    I did this because I was curious as to why every time I entered Tesco stores I constantly found security guards following me.

    I shop at Lidl's now :-)

    My point is: Tesco see themselves as an immovable object and sorry to tell you this but whatever you write on this web page, it will not bother Tesco one little bit because it wont-even effect their profits in the most-minuscule way.

  • Tesco really should look askance at any of its staff who are complacent about this. UKBA has just uncovered a nest of illegal aliens in the tesco.com warehouse.

    The significance of that it that Tesco is either negligent or careless or that it condones sharp practices.

    Either way, it's quite possible somebody with criminal intent is in their IT department.

  • Why does everyone stress at security systems we couldn't live without them now how many crimes have been solved and quicker with them.I personally feel much safer for them being around just go about your business if you are doing nothing wrong you have nothing to worry about.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago