Categories: SecurityWorkspace

Tesco Slammed For ‘Ignoring’ Security Failures

Tesco has been heavily criticised for poor security on its website, as a security researcher discovered the company was not protecting user passwords effectively.

The insecurities could make it easier for hackers to get hold of login credentials of Tesco shoppers and use that information to steal their identities.

Troy Hunt, software architect and Microsoft Most Valuable Professional for developer security, picked up on problems at Tesco when he was told by the supermarket giant that passwords were copied into plain text “when pasted automatically into a password reminder email”.

After requesting his own Tesco password, he found it was neither hashed nor salted when it was emailed to him. He claimed it was likely passwords were stored in plain text.

Perpetual password problems

The findings have come after a slew of major password leaks over the past two months, including one at social networking giant LinkedIn, which saw login details of 6.5 million stolen and published online.

“There’s a lot of research which says organisation size in no way correlates to relative security. Tesco is a bit of an exception though,” Hunt told TechWeekEurope.

“LinkedIn secured their logins via HTTPS and at least hashed their passwords and certainly they never emailed them to people. Looking at the feedback over Twitter, many people have raised this with Tesco before but they just don’t seem that interested. A lot of organisations aren’t until they have a serious breach and I don’t believe that’s happened with them. Yet.”

But Hunt found more security problems on the Tesco website itself. The site is guilty of “mixed mode HTTPS”, where pages are loaded up over HTTPS but embeds resources loaded over HTTP, giving users “no assurances whatsoever”. Browsers pick up on when this is happening, warning users.

“The mixed mode HTTPS is just pure negligence – I mean there’s the browser throwing a big message saying ‘THIS IS NOT SAFE – DON’T PROCEED’! OK, different browsers respond different ways but it’s still made very clear,” Hunt added.

Security Sin

Tesco also committed a security sin by reverting from HTTPS to HTTP after a user logged in. If a hacker got on the same network as a Tesco shopper, they could easily hijack a session, Hunt said. They would typically do so by intercepting users’ session IDs, or acting as a man in the middle between the user and the Web server using specially-designed software.

Tesco was also mocked for the browsers it requires users to run for access to its website. “Tesco won’t just let any old browser in, oh no, you must be using something modern like version 3.0 of ‘explorer’ or 3.02 of Netscape,” Hunt wrote in his blog on the matter. “Do you even remember Netscape? Quite possibly not because there’s a sizable audience out there browsing the web today who were still breastfeeding when it launched in mid 1996.”

The supermarket chain was also using out-of-date server software, running Microsoft’s seven year-old IIS 6.

At the time of publication, Tesco had not responded to repeated requests for comment.

Tesco told Hunt all customer passwords were stored securely an in line with industry standards. “Of course we’re taking this seriously. We’re collating all comments & concerns, and passing them to relevant departments.”

But the security researcher disagreed, telling TechWeekEurope that organisations like Tesco were getting Web app implementations “fundamentally wrong.”

“The simplicity of the risks suggest that Tesco doesn’t take security very seriously and more severe risks are likely present.”

Some believe the username and password model is set for extinction, to be replaced by simple two-factor authentication.

Are you a security guru? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

Recent Posts

CMA Secures Google Commitment To Tackle Fake Reviews

British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues

59 mins ago

Trump Signs AI ‘Free From Idealogical Bias’ Executive Order

After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…

3 hours ago

OpenAI’s ‘Operator’ Agent Automates Online Tasks

OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…

22 hours ago

Pakistan’s Parliament Passes Bill For Strict Control On Social Media

Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…

23 hours ago

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

1 day ago

UK’s CMA Begins Probe Into Apple, Google Mobile Ecosystems

British regulator confirms investigation of Apple and Google's domination of app stores, operating systems, and…

1 day ago