TopCashback Rushes to Fix ‘Useless’ SSL Website Security

Popular UK-based cashback provider TopCashback is scrambling to fix security flaws on its website, which could let any smart hacker get hold of user information or even hijack their account.

Software architect and Microsoft MVP Troy Hunt noted numerous faults in how TopCashback had implemented SSL, which encrypts traffic between the user and the website server and that most people note when they see HTTPS in web addresses.

The reason why it’s such a concern TopCashBack is doing this is that it could let hackers sitting on the same network as a user break into accounts and get hold of certain kinds of personal data. Whilst there’s no banking data being exposed, that kind of information can prove valuable for cyber criminals.

TopCashback, but not so top SSL

And TopCashback isn’t some small time player in the Internet retail market anymore. It has forged major deals with Tesco, which was also recently slammed for poor website security, and is attracting plenty of media attention from personal finance press.

Its business is to act as a portal for users who want some cashback on their online purchases. Retailers pay TopCashback for referrals, just as they do with comparison sites, but some of that money is passed on to customers.

It is keen to show it is a safe place to do business, but Hunt was wholly unconvinced by the site’s security credentials.

“The concept of using HTTPS is essentially useless the way they’ve done it,” Hunt told TechWeekEurope.

“There are precedents of this being used to illegally direct debit from the victim’s account.”

As for the specific problems, Hunt pointed to the lack of HTTPS on the TopCashback registration form, which asks for the user’s name, email and password. Given web denizens often use the same login information for other websites, having this data sent in plain text could jeopardise more than just their TopCashback account that they are just setting up.

There was also mixed-mode HTTPS, where the page has been requested over HTTPS, but certain parts of the page are not covered, meaning some information users’ enter on that site could be pilfered. Those unprotected sections could also be manipulated to trick the user into handing over data.

Hunt also discovered authentication cookies were being sent over an unprotected connection. The worst that could happen would be that authentication cookies were sniffed, sessions hijacked, and any information the victim had access to while logged on is made available to the attacker.

“Think of it as logging in then walking away from your PC and leaving it to the hacker,” Hunt added.

TopCashback confirmed the company was working on various fixes, which should be implemented imminently.

Mike Tomkins, technical director and one of the founders of TopCashback, said the company had “never had a member report a security breach to their bank account”.

“Having been made aware of the blog, we are now addressing the issues that have been raised and expect all pages where credentials are entered to be fully secure by the end of the day,” Tomkins added.

“We’d like to reassure our members that with regards to their bank details, these are encrypted on entry and are ‘starred’ out when account profiles are viewed so there would have been no risk of these being obtained by third parties. Moving forward we appreciate the comments made in the blog and are currently looking into serving the entire website over a secure connection, similar to that used by Facebook.”

The case raises the issue of SSL security – something many websites could do a lot better. TechWeekEurope focused on the issue last year, encouraging a host of UK universities to improve their implementations.

UPDATE: This article was updated to make it clear that no banking data was at risk, but personal data was.

Are you a security expert? Try our quiz!