Tesco ignores the advice of TechWeekEurope and security researchers, making it unsafe to shop on Tesco.com, warns Tom Brewster
Two weeks have passed since researcher Troy Hunt slammed poor Tesco security, and TechWeekEurope exclusively revealed an XSS flaw on the retailer’s main website. And despite consistent requests for an update on the situation, Tesco has offered nothing. The vulnerabilities remain, as do the risks to Tesco online customers.
Perhaps the XSS flaw is nothing to be worried about. Perhaps passwords really are adequately protected. But from all the evidence we have, both the website vulnerability and the poor password practices are far from safe. At the very least, Tesco can improve in both areas.
Here is a little recap of what’s wrong with Tesco security. First off, it appears Tesco is sending passwords to users in plain text. That’s not good. If they are being sent in plain text, it means anyone with malicious intent who is able to intercept customers’ emails won’t have to bother with decrypting anything to access that person’s Tesco account. More worryingly, it indicates Tesco isn’t hashing or salting its passwords at all, storing them in plain text. That means there’s a database somewhere that hackers are salivating over.
Why can’t Tesco speak out on this? Its silence is of serious concern. If companies as big as LinkedIn can say ‘hey, we messed up by not hashing and salting passwords, but we’ll do it from now on’, why can’t Tesco tell us how it is protecting its users’ login details? There is no harm in being transparent here, but, whether because of the siloed nature of Tesco’s business, poor communication or just plain old incompetence, the supermarket giant remains quiet.
It is just as tight-lipped about the XSS vulnerability on the site, which could allow hackers to get hold of user account IDs if they were able to trick a logged-in user into clicking on a link. It might seem like hackers would have a slim chance of finding logged-in users and then duping them, but anyone who ‘gets’ security knows how crafty mischievous Web users can be.
I have disclosed all of the relevant information to Tesco, including details on what the weakness is and how it could be exploited. I was told the information would be passed on to the relevant people. But I have had nothing official in return, other than this canned comment: “We know how important Internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.” Pah!
Hunt told me he “might have actually made some progress with some real technical people” but he was “not expecting miracles”. As expected, the miracles never materialised. Even a typically histrionic piece in the Daily Mail hasn’t made it through Tesco’s impenetrable earmuffs.
What happens now? I can do little more. In an ideal world, Tesco would read this piece, and all the other negative articles about its security practices, and enact immediate change. But, again, that seems rather unlikely, even though both the website vulnerability and the password issues are very simple to rectify. Everything appears to move at a rather glacial pace over there…
Researchers might be able to go further, however. Whereas I am unwilling to make the vulnerability public, others may have a more flexible conscience. If the XSS vulnerability is made known to hackers, they will use it and they will succeed in defrauding Tesco and its customers. That would be tragic – but might at least have the benefit of waking Tesco up from its slumber and forcing it to fix the manifold problems with its IT security.
It would, of course, be preferable for customers to start kicking up more of a fuss. Tesco is fairly active on Twitter, so anyone who does care about keeping their account secure should start venting their frustration on that channel, or over Facebook, or however they wish. The pressure could and should pay off.
Are you security aware? Try our quiz!