Tesco.com, one of the biggest retail websites in the UK, is to be asked to explain the alleged poor security practices of its website to the Information Commissioner's Office (ICO).
The inquiry follows investigations by security bloggers, such as Troy Hunt, who have vented their dismay at what they claim are unsafe security practices used by Tesco.com.
According to those investigations, Tesco stores login and password information is stored 'unhashed', 'unsalted' and, probably, unencrypted, they say. It emails passwords to people in plain text, instead of sending a link to a secure web page where they can be reset.
It also follows bad practices on the secure pages of its website by loading up some components in plain HTTP, not HTTPS. "This is bad," writes Hunt. "In fact it's so bad that the browsers of today give you a very blatant warning when this is happening."
It enables shoppers to shop without encryption after having logged in, enabling traffic and, hence, credentials wrapped up in session cookies to be sniffed, and the session to be hijacked.
Furthermore, the only passwords allowed by the website are weak, no more than 10 characters in length, with upper and lower-case characters treated the same. This, believe security specialists, indicates that the technology underlying Tesco's website is old.
Indeed, according to error messages spewed by the site, it remains based on Microsoft IIS6 – which is now seven years old – and ASP.NET 1.1, which is nine years old. Both have security issues that will have been ironed out with later versions.
And when Computing contacted the ICO to find out whether the Information Commissioner will be investigating, it confirmed that inquiries are already taking place. "We are aware of this issue and will be making inquiries," a spokesperson told Computing.
Tesco, according to reports, has been working on an updated website for some time. However, this has yet to appear and, in the meantime, the company's online operations remain based on ageing and insecure software technology.