Tesco Pledges To Fix Web Security Flaws

TechWeekEurope pressure pays off as Tesco says it will fix issues, but given there are so many, which ones will it address?

Tesco has promised to fix security problems on its website, following complaints from customers and plenty of pressure from the security community and TechWeekEurope.

The supermarket had kept quiet when Tesco security practices came under fire from researcher Troy Hunt, who  pointed out various problems on Tesco.com. Hunt found the company was emailing passwords in plain text, without hashing or salting them. It was also claimed no encryption was used to protect passwords.

Two separate reports from TechWeekEurope confirmed an XSS vulnerability and an SQL injection flaw on the Tesco.com website, but after reporting the issues to Tesco, there was initially no response. Both flaws could have let hackers steal login credentials of users.

Earlier this week, the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), claimed it was looking into Tesco security procedures and would be making enquiries.

Today, Tesco, which said it still believes its current security was “robust”, would not go into detail on which of the myriad security problems were being addressed but promised customers would see changes soon.

Tesco security awakes

“We review our systems on a regular basis and look to update them if necessary. Following feedback from some of our customers, we will be updating the measures we already have place in the coming weeks,” a spokesperson from Tesco told TechWeekEurope

Despite the ICO’s interest in the case, Tesco said it had not yet had any contact from the watchdog. “We would of course cooperate fully with any requests they may have,” the supermarket giant said.

“What’s important is that customers have the confidence to shop with us online,” a spokesperson added.

Hunt said it was now up to the firm to prove it is serious about security, saying it was critical Tesco first focus on patching the XSS and SQL injection vulnerabilities, and address the password protection, or lack thereof. There were other issues with the Tesco.com site, including mixed HTTPS, where the SSL protection appeared to be dropped once a customer was logged in.

The supermarket chain has also been using using out-of-date server software, running Microsoft’s seven year-old IIS 6.

“We know they can talk, but can they deliver? I do hope they can and it’s not just being said to placate the public,” he said. “Certainly it’s a positive thing if they are indeed taking feedback from customers.

“There have been so many risks pointed out to them, what are they fixing? The password storage? The emailing? The password rules? The lack of HTTPS? The mixed HTTPS? The XSS? The SQL injection? The outdated frameworks?”

The security community, including Hunt and this publication, will be watching over the coming weeks to see what Tesco has changed.

Is your security skill the finest? Try our quiz!