ICO to probe privacy concerns about Tesco website

The ICO is to investigate claims that Tesco's website does not offer sufficient privacy protections to customers.

The Information Commissioner's Office is to investigate claims that Tesco's website does not offer sufficient privacy protections to customers.

The UK privacy watchdog's probe comes after security experts raised a number of privacy concerns about the retailer's main website.

The main concern is about the way in which Tesco stores the passwords of shoppers after security researcher Troy Hunt revealed in a blog post that he had received a password reminder in an email from Tesco that contained his password in plain text.

This shows Tesco's password data is not being stored cryptographically, he told the BBC.

Security professionals agree that a more secure method of password recovery is for websites to email users instructions on how to reset their password, rather than revealing the password itself.

Hunt has also criticised Tesco for not using HTTPS (Hypertext Transfer Protocol Secure) across its entire site to protect users from phishing attacks and data theft.

Although users log into the Tesco website over HTTPS, the browser reverts to HTTP, which does not give users any security assurances, Hunt said.

“HTTP is stateless so the only (practical) way a state, such as being logged in, can be persisted is by passing cookies backwards and forwards between the browser and the website.

“Because they’re being sent over a HTTP connection, anyone who can watch the traffic can see [those] cookies. And copy them. And hijack your session,” he wrote.

In a subsequent blog post, Hunt claims that Tesco have security problems that go far beyond what he originally wrote about, including unverified SQL injection vulnerabilities and verified cross-site scripting vulnerabilities.

Hunt wrote that he has passed the details of cross-site scripting (XSS) vulnerability to multiple people in senior technology roles at Tesco, but the vulnerability remains unfixed.

"Interestingly, it seems that Tesco’s rather unique approach to security is now coming under scrutiny from the Information Commissioners Office in the UK. Whilst a statement such as 'We are aware of this issue and will be making inquiries' is far from a damning indictment, it will be interesting to see how this unfolds and whether the company may actually be called on those 'lousy' practices," he said.

In various statements issued to the media, Tesco maintains that its security is "robust". The company claims it is never complacent and says there is no evidence to suggest Tesco has been targeted by hackers or that customers' personal details are at risk.

Read more on Privacy and data protection