Tesco Password Security Fixed – But XSS Flaw Remains
No more plain text passwords? Every little security fix helps!
Tesco security has been improved as the grocer fulfills a promise to stop sending passwords in plain tex, but a problematic website vulnerability remains on the site.
Perssure to improve Tesco security was intense, after it emerged the company was sending passwords in plain text, hinting that the supermarket neither hashed or salted users’ login details. It was also suggested Tesco wasn’t using any kind of encryption to protect passwords internally. Considering the financial data held by Tesco, many were concerned.
The pressure appeared to have paid off when Tesco said it was to address security issues following complaints from customers, yet onlookers remained unconvinced that the company would enforce the changes.
Today, TechWeekEurope visited the Tesco.com website and discovered passwords were no longer being sent in plain text. Anyone who wishes to reset their password now has a link sent to them, directing them to a webpage where they can get a new login.
A cross-site scripting (XSS) flaw revealed by this publication remains on the site, however, which could let hackers get hold of shoppers’ login information, simply with some social engineering. A fix could be on the way soon, as Tesco said on 22 August that changes would be made in “the coming weeks”.
Tesco moved to update its security practices after a strongly-worded blog post from security researcher Troy Hunt highlighted password insecurities.
Although he responded to Tesco’s password changes by saying they were “amazing”, Hunt said he was “over” the saga, which saw him go unthanked even though he was helping the company improve security by highlighting the flaws.
“Frankly, you get to the point where you’ve given them the risk, they’ve decided to accept it and you move on,” he told TechWeekEurope. “Still so unusual to have no response from them on anything.
“On the hand it generated a lot of community support and backing from guys like [famous security researcher] Bruce Schneier which wouldn’t have happened if they’d done the right thing to begin with.”
There may also be SQL injection flaws left on the site, which could lead to loss of valuable data from Tesco databases, although there was no confirmation at the time of publication. Tesco said it would not go into detail on what fixes it has issued.
Is your security skill the finest? Try our quiz!