SecurityWorkspace

Tesco Slammed For ‘Ignoring’ Security Failures

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Tesco not living by ‘every little helps’ motto as researcher claims it is guilty of numerous security sins

Tesco has been heavily criticised for poor security on its website, as a security researcher discovered the company was not protecting user passwords effectively.

The insecurities could make it easier for hackers to get hold of login credentials of Tesco shoppers and use that information to steal their identities.

Troy Hunt, software architect and Microsoft Most Valuable Professional for developer security, picked up on problems at Tesco when he was told by the supermarket giant that passwords were copied into plain text “when pasted automatically into a password reminder email”.

After requesting his own Tesco password, he found it was neither hashed nor salted when it was emailed to him. He claimed it was likely passwords were stored in plain text.

Perpetual password problems

The findings have come after a slew of major password leaks over the past two months, including one at social networking giant LinkedIn, which saw login details of 6.5 million stolen and published online.

“There’s a lot of research which says organisation size in no way correlates to relative security. Tesco is a bit of an exception though,” Hunt told TechWeekEurope.

“LinkedIn secured their logins via HTTPS and at least hashed their passwords and certainly they never emailed them to people. Looking at the feedback over Twitter, many people have raised this with Tesco before but they just don’t seem that interested. A lot of organisations aren’t until they have a serious breach and I don’t believe that’s happened with them. Yet.”

But Hunt found more security problems on the Tesco website itself. The site is guilty of “mixed mode HTTPS”, where pages are loaded up over HTTPS but embeds resources loaded over HTTP, giving users “no assurances whatsoever”. Browsers pick up on when this is happening, warning users.

“The mixed mode HTTPS is just pure negligence – I mean there’s the browser throwing a big message saying ‘THIS IS NOT SAFE – DON’T PROCEED’! OK, different browsers respond different ways but it’s still made very clear,” Hunt added.

Security Sin

Tesco also committed a security sin by reverting from HTTPS to HTTP after a user logged in. If a hacker got on the same network as a Tesco shopper, they could easily hijack a session, Hunt said. They would typically do so by intercepting users’ session IDs, or acting as a man in the middle between the user and the Web server using specially-designed software.

Tesco was also mocked for the browsers it requires users to run for access to its website. “Tesco won’t just let any old browser in, oh no, you must be using something modern like version 3.0 of ‘explorer’ or 3.02 of Netscape,” Hunt wrote in his blog on the matter. “Do you even remember Netscape? Quite possibly not because there’s a sizable audience out there browsing the web today who were still breastfeeding when it launched in mid 1996.”

The supermarket chain was also using out-of-date server software, running Microsoft’s seven year-old IIS 6.

At the time of publication, Tesco had not responded to repeated requests for comment.

Tesco told Hunt all customer passwords were stored securely an in line with industry standards. “Of course we’re taking this seriously. We’re collating all comments & concerns, and passing them to relevant departments.”

But the security researcher disagreed, telling TechWeekEurope that organisations like Tesco were getting Web app implementations “fundamentally wrong.”

“The simplicity of the risks suggest that Tesco doesn’t take security very seriously and more severe risks are likely present.”

Some believe the username and password model is set for extinction, to be replaced by simple two-factor authentication.

Are you a security guru? Try our quiz!