Tesco-Landscape

Tesco Pledges To Fix Web Security Flaws

TechWeekEurope pressure pays off as Tesco says it will fix issues, but given there are so many, which ones will it address?

On by Thomas Brewster 2

Tesco has promised to fix security problems on its website, following complaints from customers and plenty of pressure from the security community and TechWeekEurope.

The supermarket had kept quiet when Tesco security practices came under fire from researcher Troy Hunt, who  pointed out various problems on Tesco.com. Hunt found the company was emailing passwords in plain text, without hashing or salting them. It was also claimed no encryption was used to protect passwords.

Two separate reports from TechWeekEurope confirmed an XSS vulnerability and an SQL injection flaw on the Tesco.com website, but after reporting the issues to Tesco, there was initially no response. Both flaws could have let hackers steal login credentials of users.

Earlier this week, the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), claimed it was looking into Tesco security procedures and would be making enquiries.

Today, Tesco, which said it still believes its current security was “robust”, would not go into detail on which of the myriad security problems were being addressed but promised customers would see changes soon.

Tesco security awakes

“We review our systems on a regular basis and look to update them if necessary. Following feedback from some of our customers, we will be updating the measures we already have place in the coming weeks,” a spokesperson from Tesco told TechWeekEurope

Despite the ICO’s interest in the case, Tesco said it had not yet had any contact from the watchdog. “We would of course cooperate fully with any requests they may have,” the supermarket giant said.

“What’s important is that customers have the confidence to shop with us online,” a spokesperson added.

Hunt said it was now up to the firm to prove it is serious about security, saying it was critical Tesco first focus on patching the XSS and SQL injection vulnerabilities, and address the password protection, or lack thereof. There were other issues with the Tesco.com site, including mixed HTTPS, where the SSL protection appeared to be dropped once a customer was logged in.

The supermarket chain has also been using using out-of-date server software, running Microsoft’s seven year-old IIS 6.

“We know they can talk, but can they deliver? I do hope they can and it’s not just being said to placate the public,” he said. “Certainly it’s a positive thing if they are indeed taking feedback from customers.

“There have been so many risks pointed out to them, what are they fixing? The password storage? The emailing? The password rules? The lack of HTTPS? The mixed HTTPS? The XSS? The SQL injection? The outdated frameworks?”

The security community, including Hunt and this publication, will be watching over the coming weeks to see what Tesco has changed.

Is your security skill the finest? Try our quiz!

Thomas Brewster
Author: Thomas Brewster
Security Correspondent, TechWeekEurope
Thomas Brewster Thomas Brewster Thomas Brewster
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




2 replies to Tesco Pledges To Fix Web Security Flaws

  • On August 22, 2012 at 12:14 pm by Iain N.StCyr

    I doubt Tesco’s sincerity as it’s taken them so long to acknowledge complaints and, even now, do not acknowledge flaws in their software etc. It’s pure lip-service. If a consumer does eventually get ripped off by hackers, the consumer will never be able to prove it was Tesco’s fault and even if their’s a complaint – some free chops will shut them up. well, I shan’t be on-line shopping with them until I know they have rectified the situation.

    • On August 22, 2012 at 1:51 pm by Tom Brewster

      Hi Iain,

      We’ll have to see what Tesco does. We’ll be checking back on the flaws and the password issues next month. Let’s hope they fix those three main problems.

      Thanks for reading.

      Tom Brewster
      Deputy Editor

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>