A dangerous flaw has been found on the Tesco website, placing the company’s online customers at risk, TechWeekEurope has learned, just a day after the supermarket chain was lambasted for weak security practices.
Yesterday, security researcher Troy Hunt had exposed problems with Tesco security, including the fact that it appeared to be storing customer passwords in plain text without proper salting and hashing.
The Tesco.com site was also guilty of “mixed mode HTTPS”, where pages are loaded up over HTTPS but resources are loaded over HTTP, giving users “no assurances whatsoever”. Browsers pick up on when this happens and even warn users, yet Tesco still has not fixed the issue.
Today it emerged that an XSS flaw on the site could be exploited by hackers to hijack users’ accounts. TechWeekEurope has seen evidence proving that the flaw exists and has warned Tesco about it, but received no response. The XSS code will not be published for the safety of Tesco shoppers.
They would then be passed on to the Tesco website. At that point, code would be sent to a Tesco server via its search box on the homepage. If engineered correctly, this would pass cookie data back to the attacker’s server, and they would have access to the victim’s account. All of this could happen in seconds, and the user would be left clueless.
Hunt claimed the flaw should have been “very easily identified”, adding that Tesco could issue a “very quick fix” for the flaw. Yet there has been no response from the supermarket giant.
The latest WhiteHat Security report showed that over half (55 percent) of all sites contained an XSS flaw in 2011, making it the most common vulnerability on the web.
Hunt said he had also received an unverified claim of an SQL injection flaw on the Tesco website, which could be exploited to expose user information.
As for the password issues highlighted yesterday, Tesco sent over this response: “We know how important Internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.”
A spokesperson confirmed the company would be looking into what people were saying online, but did not say if there was any plan for action. He claimed the site had never been hacked and Tesco had never been hit by any major security issue.
Despite online claims that Tesco had fixed the password problem, TechWeekEurope found the site has several different pages for password resets. One of those (see here) is more secure, as it takes users through a process of changing their password. But another (see here) gives customers their password back in plain text.
“You know what strikes me with this whole thing? There’s someone directing these comments to Tesco customer care, journalists and whoever else is asking that just doesn’t have the faintest clue,” Hunt added.
“It’s not about whether you’ve been hacked or whether you think you’re secure or not, there are blatantly obvious flaws at many levels and they just can’t acknowledge it.”
The security researcher and Microsoft Most Valuable Professional said he had seen 1,720 re-tweets over Twitter of a Tesco tweet that said passwords were copied into plain text “when pasted automatically into a password reminder email” – something of a paradox given that plain text is not a secure way to show sensitive data. There were also hundreds and possibly thousands of tweets to @UKTesco complaining about the issue, Hunt said.
“They’re just blindly saying ‘everything is fine’. Does that not strike you as odd?” he added.
“I would genuinely like to see them get on top of this, or at the very least understand the issues.”
Are you up on all the latest threats? Try our security quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Does this amount to vigilante justice? How much of this is really fair (what about legal)? I agree that Tesco has its head in the sand. But does that grant individuals a de facto license to attack the site to prove their point? I hope not.
No one has demonstrated harm to a single individual at any point as a result of these supposedly horrific security flaws. Did Tesco mishandle anyone's data? Did anything bad happen? What would happen if some of these security professionals who were hacking Tesco were arrested for proving their point?
Why is it OK to take matters into their own hands and attack like this? They don't even have an axe to grind like people did with Sony, where Sony was prosecuting people for dubious reasons. Tesco's done nothing to deserve this. One must be careful not to incur the wrath of the mob, I suppose.
Dear Paco Hope
I think you will find the problem arises when researchers discover such flaws, warn the companies concerned and no response is given or action taken. Probably after a period of grace.
Let's say you leave your top of the range Mercedes parked up, with the engine running and the drivers door open. Being a good natured citizen I point out your mistake and you say 'Meh!'.
Are you now going to complain to me if it gets stolen?
Let's say you leave your bosses top of the range Mercedes parked up, with the engine running and the drivers door open. Being a good natured citizen I point out your mistake and you say 'Meh!'.
Is your boss now going to complain to me if it gets stolen?
Replying to Paco Hope, Tesco have the choice of doing nothing or fixing the issues now visible to all. The evidence of those who did nothing is that some have charmed lives, and others got hacked to pieces sending out untold 100s of millions of credit card details and losing their reputation and customer trust at a stroke.
On balance, it is usually better to take loss of reputation as costing more than fixing pre-notified issues.
The further problem Tesco now have is this story is out in the wild, so if hackers do steal and release several million cards the condemnation that will come down on them on the lines of 'despite repeated warnings from security experts...' will compound their reputational damage and likely rock their stock price.
i'd be more worried about the food they sell, my mates FINEST was not fit for me hogs
http://a2.sphotos.ak.fbcdn.net/hphotos-ak-snc7/578664_10151067266313911_268975870_n.jpg
http://a1.sphotos.ak.fbcdn.net/hphotos-ak-ash3/553403_10151067276358911_686497253_n.jpg
id be sick as a dog if it were mine
I have only had one dealing with tesco online never again i am not supprised to hear how laxed they are. I tried making a complaint online to them they just ignored me they are very ARROGANT
I have had problems with Tesco too. Many of their emails do not contain unsubscribe options, and those that do take you to web page that only gives you the option to sign up to more of their mails! They are behaving very badly and getting away with it.
Whilst I do not for one moment condone Tesco's security flaws and their lack of action. I ask Tech Week Europe, is your exposure of Tescos's problem and how some one could hack into another's account in such detail responsible reporting? Or are you on a vanity trip to show how clever you are? If I was a crook and so minded I could use the information you provided to have a go at hacking someone's account. After your report there are probably thousands of crooks looking not only at Tesco's site but others for an XSS flaw.
Thanks for all your comments.
Peter Odds, we share your worries, and follow normal practice for responsible reporting of any security issue.
We would never publicise a flaw for the first time on our site.
The flaw was known about in hacker circles before we covered it, and Tesco had been notified, but was very slow in responding.
In that situation, "crooks" already knew the opportunity, and it became essential to alert customers.
Peter Judge
Editor
Thanks for the comments.
I'd also point out that the article does not expose what the flaw is (i.e. code that would show where the vulnerability lies). It just says it is there and then explains how an XSS attack might go down. The latter is very much in the public domain and all website owners should understand how an XSS attack can happen. That way they can better protect their site.
Additionally, thousands of crooks (probably more) have most likely been trying to crack Tesco infrastructure for years. And many are looking for XSS flaws across the web already, including legitimate security professionals trying to make the Internet a safer place for people like you and I.
Thanks
Tom Brewster
Deputy Editor
see, what it is its the xss which is layered with the https and the dvcl interface.if they need to reintegrate the ddl and upload quotients then it means the ntc base is desynchronsed.simple when you think about it. commonsense.