ICO to investigate Tesco website security

Security fracas erupts over password encryption and website flaws

August 22, 2012
Tesco Store

The Information Commissioner is apparently going to look into criticisms of Tesco’s web security levels.

These issues were first raised by a software architect, Troy Hunt, who discovered flaws in the Tesco website which hackers could exploit, and poor security practices regarding customer passwords.

The Telegraph pointed out Hunt’s blog, where he goes into various details about those below-par security practices.

The controversy began when Tesco was questioned by Hunt, and the supermarket stated in a tweet: “Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.”

Which, as anyone involved in the industry knows, is hardly best practice when it comes to security. Sending passwords in plain text over email is a worrying stance on security – and tweeting that, as Hunt notes, is a lesson in why customer service folks probably shouldn’t be discussing technical issues over social media.

At any rate, Hunt then launches into a catalogue of other Tesco security flaws, including mixed web page content – an HTTPS page with embedded resources loaded over plain HTTP – and flaws in cookies.

The ICO stated: “We are aware of the issues relating to the Tesco website and will be making enquiries.”

We expect there’s a pretty furious behind the scenes IT scramble going on at the supermarket right now…


Post a comment

Your email address will not be published. Required fields are marked *

Visited 4394 times, 1 so far today