Categories: SecurityWorkspace

Another Dangerous Tesco Website Flaw Confirmed

Yet another vulnerability on the Tesco website has been confirmed by a researcher, who lambasted the supermarket giant for its “unprecedented” silence on fixing various security issues.

Following claims that Tesco is not hashing, salting or encrypting customer passwords, and has an XSS  flaw on its main website, customers and onlookers have bemoaned the company’s lack of action.

There has been no confirmation that fixes have been implemented and the issues had not been addressed at the time of publication, whilst data protection watchdog the Information Commissioner’s Office (ICO) is looking into the matter.

But now another vulnerability on the Tesco website has been uncovered and verified, said security expert Troy Hunt, which could place the firm and its customers at risk. The flaw was highlighted in the comments section of one of Hunt’s blog posts.

Deafening silence?

The latest issue is an SQL injection flaw, which could see hackers get hold of login information or credit card details from the site, by getting the SQL database server to dump databases. The vulnerability was alleged last month, but has now been proven, according to Hunt.

A typical SQL injection hit sees attackers enter code into a web form entry field, such as a search section of a website, combining certain user-input variables with SQL commands. The database is fooled into responding to this input, potentially delivering valuable information.

By manipulating queries, hackers can determine the internal structure of the database and work out how to find certain data if the right protections are not in place.

Hunt, who has been pressing Tesco to fix various problems with its security, said the SQL injection flaw might not be a problem, but could “be as major as disclosing all user data – including passwords and possibly credit cards – to dropping tables to injecting links to malware.”

“SQL injection was regularly the means by which Anonymous retrieved entire user databases from targets and we know how that ended up,” he noted.

There are plenty of free tools that find SQL injection flaws for hackers, including the massively popular Havij software. Hunt believes that cyber crooks already know about the vulnerability.

He said he had never had a case where he had highlighted a flaw and there had been such a wall of silence from the party involved. “I’ve submitted quite a few private, ethical disclosures before as well as written publicly about things that put companies in very uncomfortable positions and without exception, I’ve always had both public and private responses thanking me and seeking more info, usually by very embarrassed IT folks. This is truly unprecedented.”

Hunt called on Tesco to reach out to security experts, if is not already in the process of enforcing changes. “They need to just get these risks fixed ASAP. Disable certain features if need be but certainly don’t leave them present,” he added.

“I’ve offered help – no strings attached – and they have my number and email from earlier communications. I’d happily speak to anyone confidentially and share everything I had.

“Beyond that, there’s the hole they’re digging themselves with their corporate communications. I’m no social media or public communications expert, but I know they need to try and turn the rapidly growing negative public perception around quickly.”

Meanwhile, a Tesco comment from its @UKTesco Twitter account has caught the eye of security researchers. “We advise customers to change any reset password immediately to enhance the measures already in place,” it tweeted.

Hunt said that might indicate passwords have been compromised. Tesco told TechWeekEurope it had no comment on the tweet or on the SQL injection flaw.

Is your security skill the finest? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

13 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

14 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

15 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

17 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

20 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

20 hours ago