Tesco website security called into question

Tesco’s website security policies have been cast into doubt after the retailer sent a customer a password reminder email containing the password in plain text.

The customer, security researcher Troy Hunt, revealed in a blog that he had received the email with his password in plain text after requesting a reminder for his password to Tesco’s website.

“Righto, so how exactly was that password protected in email? Well, of course it wasn’t protected at all, it was just sent off willy nilly,” Hunt wrote.

In Tesco’s terms and conditions, the company states: “You can be totally confident when you are shopping with Tesco.com.

“We only accept orders over secure connections. This means whenever personal or sensitive information (such as payment details) is passed from your browser over the internet to our servers, we make use of the latest encryption techniques using Secure SSL (Extended Validation 128bit key certificates).

Meanwhile, in a statement, Tesco insisted that its security measures were “robust”.

"We know how important internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.

"We advise customers to change any reset password immediately to enhance the measures already in place." 

Related:

Hunt was prompted by his experience to investigate additional security aspects of Tesco’s website.

One thing he identified was that although users log into the Tesco website over HTTPS, which “implies a degree of security”, the browser reverted back to HTTP, which does not give users security assurances. Hunt said that this can cause problems for data protection and make users vulnerable to hacking.

He said: “HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website.

“Because they’re being sent over a HTTP connection, anyone who can watch the traffic can see [those] cookies. And copy them. And hijack your session.”

Hunt also found that Tesco’s website was running on IIS6, a seven-year-old web server, and on ASP.NET 1.1, which is nine years’ old. He claimed that these technologies were outdated.

“None of this is to say that these were bad technologies in the day, they weren’t. But it’s like saying your 5.25-inch floppy disk is a good thing,” he said.

“It had a time and a place and both of those are now gone. The security landscape has changed significantly since these technologies were launched and ongoing improvements in newer generations of the breed make continued progress in ensuring a more secure app by default.”

It was revealed earlier this year that Tesco was planning to invest £150 million in its online division, as it aims to refocus attention on its underperforming UK business.