The website might be leaky, but Tesco’s PR is zipped up tight
Yet another vulnerability on the Tesco website has been confirmed by a researcher, who lambasted the supermarket giant for its “unprecedented” silence on fixing various security issues.
Following claims that Tesco is not hashing, salting or encrypting customer passwords, and has an XSS flaw on its main website, customers and onlookers have bemoaned the company’s lack of action.
There has been no confirmation that fixes have been implemented and the issues had not been addressed at the time of publication, whilst data protection watchdog the Information Commissioner’s Office (ICO) is looking into the matter.
But now another vulnerability on the Tesco website has been uncovered and verified, said security expert Troy Hunt, which could place the firm and its customers at risk. The flaw was highlighted in the comments section of one of Hunt’s blog posts.
The latest issue is an SQL injection flaw, which could see hackers get hold of login information or credit card details from the site, by getting the SQL database server to dump databases. The vulnerability was alleged last month, but has now been proven, according to Hunt.
A typical SQL injection hit sees attackers enter code into a web form entry field, such as a search section of a website, combining certain user-input variables with SQL commands. The database is fooled into responding to this input, potentially delivering valuable information.
By manipulating queries, hackers can determine the internal structure of the database and work out how to find certain data if the right protections are not in place.
Hunt, who has been pressing Tesco to fix various problems with its security, said the SQL injection flaw might not be a problem, but could “be as major as disclosing all user data – including passwords and possibly credit cards – to dropping tables to injecting links to malware.”
“SQL injection was regularly the means by which Anonymous retrieved entire user databases from targets and we know how that ended up,” he noted.
There are plenty of free tools that find SQL injection flaws for hackers, including the massively popular Havij software. Hunt believes that cyber crooks already know about the vulnerability.
He said he had never had a case where he had highlighted a flaw and there had been such a wall of silence from the party involved. “I’ve submitted quite a few private, ethical disclosures before as well as written publicly about things that put companies in very uncomfortable positions and without exception, I’ve always had both public and private responses thanking me and seeking more info, usually by very embarrassed IT folks. This is truly unprecedented.”
Hunt called on Tesco to reach out to security experts, if is not already in the process of enforcing changes. “They need to just get these risks fixed ASAP. Disable certain features if need be but certainly don’t leave them present,” he added.
“I’ve offered help – no strings attached – and they have my number and email from earlier communications. I’d happily speak to anyone confidentially and share everything I had.
“Beyond that, there’s the hole they’re digging themselves with their corporate communications. I’m no social media or public communications expert, but I know they need to try and turn the rapidly growing negative public perception around quickly.”
Meanwhile, a Tesco comment from its @UKTesco Twitter account has caught the eye of security researchers. “We advise customers to change any reset password immediately to enhance the measures already in place,” it tweeted.
Hunt said that might indicate passwords have been compromised. Tesco told TechWeekEurope it had no comment on the tweet or on the SQL injection flaw.
Is your security skill the finest? Try our quiz!