Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Security policy concerns raised about Tesco's website

Tesco’s website security policies have been cast into doubt after the retailer sent a customer a password reminder email containing the password in plain text.

Article comments

The customer, security researcher Troy Hunt, revealed in a blog that he had received the email with his password in plain text after requesting a reminder for his password to Tesco’s website.

“Righto, so how exactly was that password protected in email? Well, of course it wasn’t protected at all, it was just sent off willy nilly,” Hunt wrote.

In Tesco’s terms and conditions, the company states: “You can be totally confident when you are shopping with

“We only accept orders over secure connections. This means whenever personal or sensitive information (such as payment details) is passed from your browser over the internet to our servers, we make use of the latest encryption techniques using Secure SSL (Extended Validation 128bit key certificates).

Meanwhile, in a statement, Tesco insisted that its security measures were “robust”.

"We know how important internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.

"We advise customers to change any reset password immediately to enhance the measures already in place." 

Hunt was prompted by his experience to investigate additional security aspects of Tesco’s website.

One thing he identified was that although users log into the Tesco website over HTTPS, which “implies a degree of security”, the browser reverted back to HTTP, which does not give users security assurances. Hunt said that this can cause problems for data protection and make users vulnerable to hacking.

He said: “HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website.

“Because they’re being sent over a HTTP connection, anyone who can watch the traffic can see [those] cookies. And copy them. And hijack your session.”

Hunt also found that Tesco’s website was running on IIS6, a seven-year-old web server, and on ASP.NET 1.1, which is nine years’ old. He claimed that these technologies were outdated.

“None of this is to say that these were bad technologies in the day, they weren’t. But it’s like saying your 5.25-inch floppy disk is a good thing,” he said.

“It had a time and a place and both of those are now gone. The security landscape has changed significantly since these technologies were launched and ongoing improvements in newer generations of the breed make continued progress in ensuring a more secure app by default.”

It was revealed earlier this year that Tesco was planning to invest £150 million in its online division, as it aims to refocus attention on its underperforming UK business.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *