Categories: SecurityWorkspace

Tesco Password Security Fixed – But XSS Flaw Remains

Tesco security has been improved as the grocer fulfills a promise to stop sending passwords in plain tex, but a  problematic website vulnerability remains on the site.

Perssure to improve Tesco security was intense, after it emerged the company was sending passwords in plain text, hinting that the supermarket neither hashed or salted users’ login details. It was also suggested Tesco wasn’t using any kind of encryption to protect passwords internally. Considering the financial data held by Tesco, many were concerned.

The pressure appeared to have paid off when Tesco said it was to address security issues following complaints from customers, yet onlookers remained unconvinced that the company would enforce the changes.

Every little Tesco security fix helps…

Today, TechWeekEurope visited the Tesco.com website and discovered passwords were no longer being sent in plain text. Anyone who wishes to reset their password now has a link sent to them, directing them to a webpage where they can get a new login.

A cross-site scripting (XSS) flaw revealed by this publication remains on the site, however, which could let hackers get hold of shoppers’ login information, simply with some social engineering. A fix could be on the way soon, as Tesco said on 22 August that changes would be made in “the coming weeks”.

Tesco moved to update its security practices after a strongly-worded blog post from security researcher Troy Hunt highlighted password insecurities.

Although he responded to Tesco’s password changes by saying they were “amazing”, Hunt said he was “over” the saga, which saw him go unthanked even though he was helping the company improve security by highlighting the flaws.

“Frankly, you get to the point where you’ve given them the risk, they’ve decided to accept it and you move on,” he told TechWeekEurope. “Still so unusual to have no response from them on anything.

“On the hand it generated a lot of community support and backing from guys like [famous security researcher] Bruce Schneier which wouldn’t have happened if they’d done the right thing to begin with.”

There may also be SQL injection flaws left on the site, which could lead to loss of valuable data from Tesco databases, although there was no confirmation at the time of publication. Tesco said it would not go into detail on what fixes it has issued.

Is your security skill the finest? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • They also need to address 'layer 8' at Tesco Mobile. They've just asked me to confirm my security details via email...er no!

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

18 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

19 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

20 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

22 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

1 day ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

1 day ago