back to article UK watchdog snaps on glove to probe Tesco's 'security fails'

The UK's privacy watchdog has opened a tentative probe into the alleged security shortcomings of Tesco's website. The global supermarket behemoth, which sends out password reminders to Tesco.com customers in plaintext, was accused by security researcher Troy Hunt of storing punters' credentials in an unsafe manner, as reported …

COMMENTS

This topic is closed for new posts.
  1. Fred Flintstone Gold badge

    Unfair or not..

    .. there seems to be no other way to get them to spend some money on (a) decent fundamentals and (b) INDEPENDENT verification there of than picking them off one by one. If enough of them get a fine that actually has an impact (so not à la Google and FTC, which is merely a rounding error in their profit reporting), it changes the perceived risk for the rest of them and something will get done - at last.

  2. Anonymous Coward
    Anonymous Coward

    Ouch..

    "Just on the browser compatibly for that XSS: IE9 and IE10 are actually pretty good and will warn you about it without exexuting it. All other browsers tested – Chrome, Firefox and Safari (desktop and iOS) – will happily parse it and allow the exploit to occur."

    That comment's going hurt the fanbouys....

    1. Captain Scarlet
      Gimp

      Re: Ouch..

      What about Opera?

      I know there are like 5 of us using Opera but we demand to be recognised!

      1. Winkypop Silver badge
        Trollface

        Re: Ouch..

        I must disagree with you.

        I think there are 6 of us.

        1. Trainee grumpy old ****
          Thumb Up

          Re: Ouch..

          Seven

          1. Anonymous Coward
            Anonymous Coward

            Re: Ouch..

            Would be 8 but it's utter shite through proxies (still)

  3. Valerion

    Should've chosen the Finest security

    Rather than the Value one.

  4. Spearchucker Jones
    Go

    "...if Tesco's software can recover exact passwords from the database, so can hackers..."

    As can Tesco sysops/devs/tellers/janitors.

    1. NogginTheNog
      Thumb Down

      As stated

      The last 3 on your list would qualify as 'hackers', since they'd be accessing parts of the system to which they'd have no legitimate reason to do so.

      1. sabba
        Mushroom

        Re: As stated - @NogginTheNog

        You are of course assuming that Tesco does not allow its janitors etc unfettered access to the system as a whole. Having observed their working practices at close hand, and known a good few people who have worked on their site, I wouldn't be so sure.

  5. Anonymous Coward
    FAIL

    Not just Tesco

    Australian online retailer Fishpond sends out plaintext replacement passwords. Five characters, too. Class act.

    1. Arbee
      Thumb Down

      Re: Not just Tesco

      How exactly would you know what your replacement password was if they *didn't* send it plain text?

      And 5 characters is absolutely fine - it is assumed you will be changing it on your next logon (most systems will enforce this).

      1. Arbee

        Re: Not just Tesco

        And yes, I am aware that you could link them directly to the password reset form, but that is pretty much exactly the same as emailing the password - it's just that the URL to the password reset form becomes the secret, rather than the password.

        1. Robert Brown

          Yup, but the password reset link can only be used once and forces them to change the password (and can also be made more secure by making the link time-sensitive and maybe verifying the link is followed from the same IP that requested it). The problem with sending out a new password via email is that someone else could have used it to get in and you'd be none the wiser.

        2. Anonymous Coward
          Anonymous Coward

          Re: Not just Tesco

          Not all servers are configured to send and receive email in a secure encrypted fashion, although most servers reject them if they don't. But html forms can be delivered under ssl. The thing is with email, you can never be certain.

          1. Vic

            Re: Not just Tesco

            > Not all servers are configured to send and receive email in a secure encrypted fashion,

            > although most servers reject them if they don't

            What?

            Hardly any email is rejected if it's unencrypted. You need to turn that on explicitly, and only those with a need to do so will even find out how...

            > The thing is with email, you can never be certain.

            You *can* be certain. But most people[1] don't often feel the need to be certain.

            Vic.

            [1] Including me

        3. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    OK, it's a story, but...

    better that there are concerns that Tesco may be storing passwords less securely than they could, rather than complaints that 20 million passwords have been posted to pastebin.

    More to the point, it would have been even better if those concerns were raised with Tesco privately first and only then made public after improvements had been made, rather than have every script kiddie and his pals now eagerly probing Tesco's servers.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: OK, it's a story, but...

        Perhaps you might like to re-read the article and it's links. Nowhere does Troy Hunt, nor JemJabella state they raised the matter privately with Tesco. JemJabella publicly disclosed a concern in 2007, but that's not the same as approaching the company privately to discuss a security concern.

        Why should I disclose my identity to pussy fucks like you who can't be bothered to read the article correctly and who don't see the security risk of going public before approaching the company privately first?

        Clarification for the intelligent reader: I have no information that that they didn't speak to Tesco first, but if they did, it would be good to have that declared and for Tesco's response to be published.

        1. Anonymous Coward
          Anonymous Coward

          Re: OK, it's a story, but...

          why the fuck should they raise it privately? It's a publicly accessible website, the security's shit, they haven't done anything about it in five years and you think a quiet word is going to sort it out? The security risk is all of tescos making, at least if it's in the public domain the public know to be careful. You seem to be advocating security through obscurity, keep it secret and hope they fix it on the quiet. Not going to happen.

          I don't want your identity, it's just nice to be able to follow a thread of conversation. twat.

          1. Anonymous Coward
            Anonymous Coward

            Re: Re: OK, it's a story, but...

            @ AC 14:51.

            It seems you have misinterpreted my original and follow up comment: security by obscurity is just as bad.

            No, they should have discussed it with Tesco and given them say 3 months to fix it before going public. Perhaps they did, but if so, they have not declared that discussion or Tesco's response.

            The comment about my identity was aimed at the twat who also demanded to know my identity rather than accept I use AC. He subsequently deleted his comment. Was it you? I don't know, but without his or her previous comment your observation out of context.

  7. adam payne

    Sending actual passwords to customers email accounts. Why would a company do that? seems a crazy idea to me.

    1. Anonymous Coward
      Anonymous Coward

      Even better they only send the password reminders to the Tesco.net address not to any secondary .... little use when you need the details to be able to log-in in the first place

      1. NightFox

        @AC 12:04

        I think this is about the Tesco website, not tesco.net?

    2. LinkOfHyrule

      They do it because for a company of that size it probably reduces the number of customer support phone calls they receive per day by customers confused by or too thick to understand the password reset process correctly.

      Either that or they just don't give a shit.

  8. Derichleau

    Tesco claim that they're 'never complacent' but when I asked them recently to respect my rights as a data subject not to receive their marketing, they suggested that I should cancel my ClubCard account if I wasn't happy with their marketing. They wanted me to cancel my account so that the matter would go away rather than deal with it and ensure that they were/are fully compliant with the DPA98. A rather cavalier attitude if you ask me that demonstrates complacency towards Tesco's obligations as a data controller.

    Let's not bother to comply with the rights of this data subject, let's just delete his account instead.

    1. MartinB
      Big Brother

      Seems fair enough to me. If you want the ~1% discount on your shopping that having a Clubcard will provide, then you _choose_ to opt in to Tesco's scheme, a part of which is agreeing to receive their targetted marketing.

      1. Anonymous Coward
        Anonymous Coward

        From the Tesco.com website...

        Marketing and research

        If you agree, we may contact you:

        * with offers and information about Tesco products or services

        * with offers and information about partners' products or services

        * for customer research eg to help improve our services

        Of course, the choice is entirely yours, but if you say you do not want to receive marketing information from us this will prevent you from receiving great offers or promotions that may be of interest to you.

        When you register online you can access a "Contact Preferences" page that allows you to tailor our commercial communications to your preferences.

        To change your contact preferences simply click "Your Account" in the top frame and click "Your Contact Preferences". If you do not want to receive commercial communications from us, select your choices by using the boxes available on that page.

        We like to hear your views to help us improve our service. From time to time, we may contact you to ask your opinions. Again, if you do not want to be contacted for this purpose, make your choice on the "Contact Preferences" page.

      2. Anonymous Coward
        Anonymous Coward

        It IS marketing

        The whole Clubcard scheme (and Asda's Price-Match Guarantee, et al) are huge data harvesting rackets, which are then used to push targeted product, either directly (emails) or indirectly (promotions and discounts). I wouldn't be surprised if the costs of running them are even put down under "marketing" on the balance sheet.

  9. Anonymous Coward
    Anonymous Coward

    Funny there's no accepted standard.

    everywhere I have worked has had a brew-your-own approach to logins. Some encrypted. Some not. Some with a password reminder. Some not.

    Shouldn't there be an RFC or similar, outlining basic login handling ?

  10. Jamie Kitson

    Insensitive Clods

    The most amazing thing to me is that Tesco passwords are case insensitive!

    1. Valerion

      Re: Insensitive Clods

      That makes sense in a way. Assuming their DBMS collation is case-insensitive (as is very common), then they are probably just doing it in the DB...

  11. Ascy

    Applies/applied to Play.com

    Play.com also keep/kept user's password in a way which can be retrieved - years ago, they e-mailed it to me when I forgot.

  12. Greg J Preece

    Singling them out? How are you supposed to solve an issue without picking a place to start?

  13. Andy Livingstone

    Small story?

    I think Tesco have rather more to worry about.

  14. mhoulden
    Coat

    More reasons to shop at Morrisons.

  15. Andrew James

    [awesome title goes here]

    My wife has a tesco credit card (for points accumulation). When the online statement is ready the sms reminder reads as follows;

    "Dear *wifes password is shown here*, your tesco creditcard statement is now available"

    You're damn right Tesco needs to have its security looked at.

    1. Anonymous Coward
      Anonymous Coward

      Re: [awesome title goes here]

      Maybe it would have helped if you had checked which fields you were filling in :).

      1. Anonymous Coward
        Anonymous Coward

        Re: [awesome title goes here]

        Maybe you should have paid attention to whose card it was. (Hint, it was his wife's.)

    2. Anonymous Coward
      Anonymous Coward

      Re: [awesome title goes here]

      That's funny because my Tesco Credit Card doesn't show the password when it emails me to say my statement is ready.

      What it does do is show a word/phrase I have entered for the explicit purpose of Tesco including it in the email or text reminder to show the message is genuine and not a phishing exercise...

      If your wife has used the same word as her password, and the process of registering for online statements explicitly requests a keyword/phrase in a separate field, then I'd suggest the security failing is closer to home than in Tesco Towers.

  16. James 100

    "More to the point, it would have been even better if those concerns were raised with Tesco privately first and only then made public after improvements had been made, rather than have every script kiddie and his pals now eagerly probing Tesco's servers."

    Tesco were directly approached first, and denied that this was a problem: all this attention, and the ICO involvement, came after Tesco categorically denied that unhashed passwords were a problem. They haven't yet replied to enquiries about the SQL injection vulnerability...

  17. gaz 7

    Tesco are masters at the art of ignoring questions they don't like and basic answer avoidance whilst appearing to offer service.

    I have contacted Customer services, by email and twitter for several issues in the past, and all you ever get are empty replies. Emailed them recently about an issue with my local store, and all they have done is periodically send email replies saying they have tried to ring and have not been able to reach me - that may be because I didnt give them my number!

    The only way they will do anything is if they are threatened with a bloody large stick, and I welcome this. Not sure they will act though!

  18. Alan Brown Silver badge

    FWIW

    Wot Gaz7 said.

    I raised this issue with them about 6 years ago and got a brushoff. The ICO didn't want to know about it back then either.

  19. Test Man
    Stop

    Why is it that Tesco.com insist on a password between 6 and 10 characters long? Bizarre - I can't have a longer password (I usually have 13-14 character passwords).

  20. helst_luzhi
    FAIL

    No database breach has occurred at Tesco.com...

    Surely this should be qualified with "yet" or "that has been made public".

    If they can't even store passwords securely, how do we know that their intrusion detection is up to scratch, for all they know there is a copy of their database (or the interesting bits at least) sitting on a hard drive in some snot nosed script kiddie's bedroom.

  21. Michael Wojcik Silver badge

    Shock: Reg writers still can't get this right

    Hashing is not encryption. "One-way encryption" is nonsense. Encryption is reversible; hashing is not.

This topic is closed for new posts.

Other stories you might like