
Lessons in website security anti-patterns by Tesco - troyhunt
http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html
======
chrisacky
Hey Troy, Thought you might be somewhat interested in this one. Remeber the
cool guys over at <http://www.realestate.com.au/> Just to refresh your
memory..

[https://twitter.com/#!/realestate_au/status/2207319148043059...](https://twitter.com/#!/realestate_au/status/22073191480430592)

Anyway, "we are aware of this issue and are working on it".

Click <http://www.realestate.com.au/> then "Register".

Then stand in utter amazement at their solution.

\-------------------------------------------

 _Why do we need your email address?_

    
    
         *We send your password via email.*
         *Your email address is your log on.*
         *If you forget your password, we'll send you a new one.*

\-------------------------------------------

This is hilarious. I can only assume that they took offence to you choosing a
"strong version" password, so they decided, how can we fix this? I know, lets
just pick the password for them.

So, their fix that they told you about, was to ensure that you can't pick a
password at all, and they will still email you their "super strong version
password"...

> Thank you for registering. Your password has been sent to
> username[at]gmail.com. It should arrive shortly.

12 seconds later.

Your password is: DTCNE

(In case people aren't aware, realestate.com.au is owned by HomeAway)

~~~
lengarvey
In slight defense of that horrible password practice:

You can't really do much with a realestate.com.au account unless you are an
Agent (which is a separate account). There's no payment processing, or any way
to add content to the site. The accounts there are basically just a way to
save common realestate searches as far as I can tell.

~~~
jrsimmons
Yeah, no.

All private user information is equally private. To arbitrarily suggest that
certain data is less important is a dangerous road to walk down. We should be
holding everyone to the same standards when it comes to security.

This is especially true with the high amount of password reuse that goes on.

~~~
tomgallard
I'm not sure I agree. I'd say my name is private, I'd say my date of birth is
more private, I'd say my medical conditions are more private still. There are
clearly degrees of privacy.

Does it really make sense to hold my bank to the same standard as a real
estate website? Sure they should all reach some minimum requirement (salted
and hashed passwords), but I expect my bank to have far higher standards (e.g.
two factor auth) than a a random site.

~~~
pmjordan
The problem with storing passwords insecurely is that people reuse them. You
can try to tell them otherwise as much as you like, they _will_ do it, so even
if one service holds non-sensitive data, stealing the password will grant
access to other, completely unrelated services.

------
Smerity
This is a hilarious, albeit depressing, view of the state of cyber security as
seen by the general public. People, even those who are generally considered
computer literate, don't have any understanding of web security. Due to this,
Tesco won't hit any negative publicity outside of a tight knit circle of
programmers. In fact, saying that everything is "stored securely" according to
"industry standards" would reassure most people.

There have been many calls in past exploit threads for a name and shame
policy, but that won't do anything. Name and shame only works when people keep
up with the list, and people won't. They're too busy with their lives to focus
on a list, especially given the number of insecure websites around the world.

We need everyone to have a list of easy to remember rules about web security
from a consumer perspective. This list of rules needs to reach everyone.
Putting them in the browsers may lead to the exposure needed, but I don't see
that happening.

This primitive level of education needs to start breaking through as it's only
going to get worse as computing and security advance further. We haven't even
finished explaining to people that plain text passwords almost always indicate
impending disaster, yet we already need a way to explain MD5 is never enough
and SHA256 isn't enough without a salt...

~~~
SideburnsOfDoom
> There have been many calls in past exploit threads for a name and shame
> policy

There is an attempt at naming and shaming here:
<http://plaintextoffenders.com/>

~~~
bct
I'm bothered that that blog doesn't distinguish between sites that (A) email
generated passwords for new accounts and sites that (B) email plaintext
passwords for existing accounts.

------
peterwwillis
What's _really_ weird to me is how some people can foster an actual _anti-
security_ mindset, where they explicitly try to argue _against_ proper
security practices. I don't know where it comes from, but i've seen it often.

You report that the way a particular type of SSL cert is implemented leaves a
MITM attack, and they come back with a dissertation on why MITM is not a
concern of ours. (Oh? Then why the fuck are we encrypting the connection?!)

You tell them that they have unpatched, years-old, remote root vulnerabilities
in their servers, and they give you the long list of reasons why we not only
don't need to patch it, patching it _would be bad._

You tell them how storing a password unhashed will lead to a PR catastrophe
when an attacker gets your PW DB. They tell that implementing scrypt isn't
feasible, bcrypt is weaker than scrypt, SHA1 hashes are easily crackable, and
that if somebody has our PW DB we have bigger problems, so we shouldn't even
worry about the passwords. And since we shouldn't worry, we might as well
e-mail them.

My guess is they think it will be extra work and they're trying to avoid it.
The alternative that I hope isn't true is that their egos are so big they
don't want to believe they did something insecurely, so they craft a story to
tell themselves and others that actually what they did was smart. Either way,
the users lose out in the end, and there's nothing we can do about it.

~~~
alinajaf
I've seen exactly this attitude multiple times with clients from a wide range
of industries. So much so that I'd say that this is attitude towards security
is the norm rather than the exception.

------
elithrar
I watched this exchange occur over Twitter on the weekend; the worst part of
it was not that Tesco stores the password in a reversible manner, but that
their representative actively defended their mechanism.

Otherwise, all of their other "crimes" (cookies are sent unencrypted, etc) are
bad but not really unexpected from a large chain like this. I'm never really
surprised when large organisations get these things so wrong, given the way
many either contract this work out and/or [mis]handle it in-house.

~~~
simonw
If it was the weekend, it seems unlikely to me that the person running the
Twitter account would have got in touch with someone with a technical
understanding of how the site works. More likely they just consulted their
list of talking points and picked the ones that looked most relevant to the
situation.

~~~
robin_reala
On the other hand, the sensible thing to do would be to say something like
“Can you provide your contact details in a DM: we’ll get one of our tech guys
to contact you on Monday”

~~~
simonw
Yes, definitely. Having customer service respond to security complaints on
Twitter really isn't very smart.

------
bencoder
I discovered this a couple of years ago and emailed and got an unsatisfactory
response:

<http://pastebin.com/C745weQ2>

Hopefully this new attention will have them change the policy.

~~~
codeka
So they actually say the passwords are not encrypted in that email, which is
quite different to what they say on twitter. I wonder if they're using a
reversible encryption now, or (perhaps more likely) they just don't _know_
what they use.

~~~
omh
They have a maximum length requirement. That's a red flag which suggests they
are just storing it plaintext.

------
codeka
> In fact the only real possibility that leaves any credibility whatsoever is
> that the stored password is being decrypted then compared to the password
> provided at logon using a non-case sensitive comparer.

You can do case-insensitive passwords with hashing/salting. It's just a matter
of lower-casing the password before hashing it. (Edit: I'm not saying this is
a good idea, of course!!)

I remember reading once that Facebook actually hashes multiple versions of
your password (eg with the first letter upper-cased to handle the case where a
phone auto-corrects it, and also with all character cases toggled to handle
the case when you left caps lock on). I wonder if there's any statistics about
how often this kind of thing actually helps?

Of course, it seems pretty clear in this particular case that Troy is right
and they're just storing your password in a case-insensitive database column.

~~~
gizmo686
If you want hash based passwords to be case insensitive (or have case
insensitive characters) You should convert the case before you hash on login.
Saving every hash makes it easier for an attacker to find a collision.

~~~
tbrownaw
Does it really? What matters is NUM_POSSIBLE_KEYS / NUM_SAVED_HASHES, saving
hashes for multiple casings of the password can't possibly increase the number
of hashes by more than lowercasing the password would decrease the keyspace
by.

~~~
gizmo686
You're right, I was thinking that the attacker didn't know the publicly
available information that passwords were case insensitive. However, I would
still be concerned that it unnecessarily increases the chances to exploit some
weakness in the hash algorithm.

------
jiggy2011
The plain text password thing might have been an edict come down from
marketing.

For example, they might find that people who forget their password become less
likely to use the site because when they get their new (hard to remember)
password emailed to them they can't figure out how to change the password back
to what it used to be. This means they end up resetting their password every
week to do their shopping.

~~~
metachris
But... a proper password reset mechanism wouldn't send the password via email
in first place, but rather a one-time link to set a new one.

~~~
jiggy2011
True, but perhaps they find 0.5% of users get confused by that screen and that
0.5% represents several million £ in revenue.

~~~
Sottilde
And imagine how much being hacked affects revenue!

I don't doubt, though, that some sort of similar short-sighted thinking led to
this decision. Is it really possible that such a large organization simply
doesn't understand password policy? Not to mention, an organization that's on
the board of PCI-DSS?

~~~
jiggy2011
Possibly not that much, as long as their security is good enough that they
don't get sued.

At the point where you are worrying about hashed passwords, your system has
already been owned.

It also depends on public reaction to the incident, people won't necessarily
blame tesco either and blame the "1337 chinese super h4x0rs"

------
MattBearman
It boggles my mind that this is STILL happening. How many leaked databases of
plain text passwords, not to mention 'point and shoot' tools like firesheep,
will it take before companies start taking security seriously?

Yes it's possible they two way encrypt their passwords, but that's still not
as secure as salted hashes, not to mention all the other security blunders.

~~~
eru
You can two-way encrypt your password (even with hashes, and repeated rounds).
And you can even make it as secure as hashes, if you keep the decryption key
offline, on paper, in a safe. (So no: We send your password to you via email,
if you forget it.)

Of course, you shouldn't do it, unless you have a good reason. E.g. There was
talk a few months ago about a new law being proposed in France requiring
companies to provide the police with user passwords.

------
jiggy2011
Whilst I agree with the big one about plain text passwords some of the niggles
here seem a little odd.

Tesco are not advising that everyone goes back to IE 3, they are simply
stating this as a lowest common denominator since I'm assuming that was the
first browser to support whatever version of TLS they were using etc.

Also, is running an old version of ASP.NET and IIS really a problem? Does he
advocate going through the expense of rewriting/retesting the entire website
every time MS drops a new version? If they are pulling down security patches
this should be a non issue.

~~~
alsothings
The post advocates simply staying reasonably up to date, then says that IIS 6
is unreasonably old. relevant bit:

 _This is not necessarily a high-intensity exercise, once every few years you
simply make sure you haven’t fallen too far behind the eight ball. Certainly
you don’t let key software components get 9 years old and nearly 5 versions
out of date._

This is quite a bit less intensive then you describe and I think it's
reasonable to expect that a website taking payments not be more the a couple
years out of date.

~~~
jiggy2011
IIS 6 is part of Windows 2003 Server, therefor it will be on "Extended
Support" until 14/07/2015

[http://support.microsoft.com/lifecycle/search/default.aspx?a...](http://support.microsoft.com/lifecycle/search/default.aspx?alpha=Windows+Server+2003+R2)

This means that if there is some security vulnerability discovered with it
then Microsoft will provide a patch, therefor from a security point of view it
isn't "out of date".

The number of years and versions is fairly irrelevant, there will be plenty of
very secure systems in use by banks and the military that will no doubt pre-
date much of what tesco is using by several decades.

~~~
troyhunt
The relevance is that none of the _additional_ protections added to the
technologies are available. We're in a very different threat landscape today
than what we were in 9 years ago and the technologies provide advances to
better protect ourselves. If you're using them!

------
timthorn
And yet, they have a very clued up technology department led by Nick Lansley,
which many years ago opened up a public API to access to Tesco online
shopping.

~~~
mpclark
Yes, I get the impression he is somebody who _cares_ , so probably a good
place to start for anyone who wants to see this fixed:

<http://www.blogger.com/profile/00087509895945257528>

------
njs12345
I don't think it's fair to expect a customer service representative to
understand the issue here. Maybe it might be better to go through Tesco's
corporate arm? I just tried submitting something through the feedback form on
the front page of Tesco.com, perhaps this has a better chance of reaching
somebody in a position to actually do something about it.

~~~
troyhunt
I totally agree, which of course is why they shouldn't be commenting on it!
But regardless of the Customer Care's Twitter account, their messaging is
consistent with the misunderstandings demonstrated throughout the website.

------
estel
Doesn't some of this fall afoul of PCIDSS? (In particular, leaking information
about the webserver's configuration).

------
h2s
I've just bought a Thinkpad from Lenovo via their website. They're doing the
same infuriating thing.

    
    
        > Dear ****,
        > Thank you for contacting us on Lenovo Outlet.
        > The password you requested is: ******
        > Please note: This e-mail message was sent from a
        > notification-only address that cannot accept
        > incoming e-mail. Please do not reply to this message.
        > Sincerely,
        > Customer Service
    

Tesco can live without geek business. You'd think a company like this would
care though. They send it in plaintext when you sign up too.

~~~
web007
How about Ajaxian? They're ONLY geeks, and yet do the same thing.

------
mistercow
These are all big problems, but one incredibly common security anti-pattern
out there that I never see talked about are the "security questions" that so
many websites use to let you reset your password.

It's amazing: a website will make me choose an 8-character (but not more than
14!) password with a number, a symbol, and at least one capital and one
lowercase letter, but then it will let anyone who knows my birthday and
favorite color change that password to whatever they like.

(Obviously, I can opt out of this feature by typing gibberish into those
answer fields, but do you think your grandfather will think to do that?)

One variation that I know of that you _can't_ opt out of it is on some banks'
two-factor authentication, where they have you log in by answering a security
question first, and then entering your password once you get the question
right. The great thing about this is that it makes the bank an easy test-
ground for guessing your security questions to use on other sites.

~~~
obiterdictum
_It's amazing: a website will make me choose an 8-character (but not more than
14!) password with a number, a symbol, and at least one capital and one
lowercase letter, but then it will let anyone who knows my birthday and
favorite color change that password to whatever they like._

The most common implementation is to require to reset a password via a link
sent in the email (and only then you answer security questions), which solves
the particular problem you describe.

~~~
mistercow
That has thankfully become more common recently, but many smaller sites never
caught on.

------
scrumper
Shocking stuff. Given the level of ignorance on display here, the size and
political clout of Tescos and the detailed summary of possible attack vectors
presented by Troy, is there a chance he could be fitted up for 'hacking'
charges? What worried me was his trace.axd request: it's definitely using a
computer system in a way it was not intended, which has caused problems for
other security researchers in the UK in the past.

Just commenting quickly over breakfast but if I find the time later I'll try
to look up the cases. (I remember something about a kid ending up in court for
using relative paths to explore a web server (/content/../../ etc.)

Thank God there's still Waitrose.

------
AncientPC
It's fun to bash on the most recent security naiveté, but can someone explain
why GNU Mailman _still_ emails users' passwords after subscribing?

Mailman warns users that passwords will be mailed plaintext, but why mail
passwords to begin with?

~~~
paulgb
For accounts that I use rarely and have a low cost even if compromised, I
prefer convenience over security.

As mailman has a fairly technical audience and reminds users that passwords
are stored/sent in plaintext, I see it as a feature, not a bug.

------
skue
Great analysis except I'm puzzled by his claim about trace.axd -- is it really
a security risk that tracing is enabled, given that it can only be accessed
from the local machine?

~~~
alastairpat
Depending on the configuration, it can be accessed from a remote computer. In
this case, it was configured for localhost access, however it is entirely
possible that it could be world-accessible.

~~~
skue
Right... that's like saying "The root password was strong, however it is
entirely possible that it could be an empty string."

Fortunately, someone on the main article did respond that having trace.axd
enabled could result in 500 errors dumping a stack trace. That's a much
clearer argument for why having tracing enabled is a bad thing.

------
jentulman
This is an entirely baseless accusation, but I have my cynical hat on today.
I'm wondering if the cost to provide the additional customer service that
could be involved in helping people deal with stronger security (password
reset email, reset pages and confirmations etc) has been weighed against the
cost of upgrades and reparation for account breaches, and influenced the
decisions here.

------
FuzzyDunlop
I think it's safe to assume that they outsourced this aspect of their online
service, given the quality of the copy in some of the pages.

------
SideburnsOfDoom
Tesco are fundamentally in the business of selling meat and potatoes to
everyone in the UK, not of making highly-secure websites.

This does not excuse this lapse, but it may help us understand why if a
computer system seems to work fine, they have little motivation to replace,
upgrade or fix it, even if it is running on an old version of the platform.

~~~
dspillett
> _Tesco are fundamentally in the business of selling meat and potatoes to
> everyone in the UK_

That is changing - it is getting to the point where their business angle is
more "renting shelf space to brands" as much as selling what we want to buy
(that is a general industry thing, not a Tesco specific comment).

Even ignoring that cynicism, their business is far more than food and I
suspect the food sales are dwarfed when you add everything else together. Food
is just the product that gets us through the door to see the other stuff:
meat, veg, bread and milk are the things that the rest of the occupants of
large shopping centres tend to lack.

> _not [in the business] of making highly-secure websites._

On the contrary: they are taking in and storing personal details and in some
cases banking details (they sell banking services as well as physical
products), and getting access to your account may give someone the ability to
buy things on your credit card. It is my understanding that both _by law_ and
by the agreements they have in place with their chose credit card processing
partners they are required to live up to certain security expectations, and if
they do not live up to those expectations they should be investigated, fined,
and stopped from trading in those ways until they are up to scratch.

The claim that their password storage is "up to industry standards" is both
unduly vague (though as the conversation was by tweet the length limitation
there may be partly to blame for that) and simply wrong. They are not
compliant with PCIDSS
([http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Secu...](http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard))
which I believe is considered the industry standard for handling credit card
data or accounts that are associated with it.

~~~
SideburnsOfDoom
Good answer. The problem is the mismatch between the business that they think
they're in and the business that they are becoming.

However I am not finding anything about "you may not store passwords in plain
text or using reversible encryption" in that PCIDSS wikipedia link. If it is
part of the standard (as it should be) then it deserves to be in the wikipedia
article.

~~~
dspillett
I may be confusing it with other standards that we had to ensure we were
compliant with on a project a couple of years ago.

Even if it isn't in PCIDSS, _not_ storing passwords securely is certainly not
industry practice for any company that operates as a bank in any of its parts.

------
klmr
… and then he goes and recommends 1Password, a closed-source “security”
software. Yes, I’m one to talk, I’m using the OS X password manager. But I
wouldn’t recommended it in a security blog.

Sadly, 1Password is probably the best solution there currently is. But this
only shows how abysmal the current state of affairs is for security.

------
tonylampada
This reminds me of "Our security auditor is an idiot. How do I give him the
information he wants?"

\--> [http://serverfault.com/questions/293217/our-security-
auditor...](http://serverfault.com/questions/293217/our-security-auditor-is-
an-idiot-how-do-i-give-him-the-information-he-)

Have anyone seen this? :-)

~~~
raverbashing
I really wished there was a bigger followup to this story, including if PCI
allowed them to continue with this clueless "security audit"

------
CD1212
I think this is a common trait of many large businesses. Recently I reset my
Virgin Media password, only to receive an email with my password in plaintext
right there.

I considered writing / emailing but didn't think it would do much good.

------
bonaldi
Reminds me of the banks with their "enter the first and fourth characters of
your password"-type enhanced login forms. How are they doing that without
storing the plaintext, then?

~~~
jiggy2011
Perhaps when you set the password it generates a bunch of combinations of
password chars that might ask you to enter and then hash these. Of course that
does make them more exploitable because you can leak information about the
password 1 or 2 characters at a time.

However your bank will have so much information stored about you that if your
bank gets owned you're basically fucked anyway even if they don't get your
password.

I imagine the servers that actually store this data however are secure to a
ridiculous degree.

------
z1g1
You know a technical blog post was interesting and informative when it spawns
5+ tabs of other articles and Google searches on the topic!

------
TapaJob
See

<http://news.ycombinator.com/item?id=4312128>

------
papsosouid
I'm interested to know what everyone's take on the "use https always for
everything" stance is. Does any site actually follow that rule? Even big names
like facebook allow you to use http don't they? And what about the "don't put
http elements in an https page"? Why not? What benefit is sending the images
over https (thus making the page load slower) if they are on a seperate
subdomain, so there's no cookies being sent with those requests?

~~~
praxulus
>(thus making the page load slower)

The difference is tiny. If your images are on the same domain as the html,
you'll have no extra overhead from the ssl handshake (thanks to http
keepalive), and the symmetric encryption used in an existing ssl connection
will have a negligible impact on performance.

I can think of two reasons you want https, even for just images:

1) Even though modifying an image in flight will _probably_ not have major
security implications, you can't be sure. Perhaps a carefully edited and
resized image could alter the layout of a form, tricking the careless user
into publishing information they didn't mean to.

2) Perhaps your adversary is just a teenager bothering people trying to be
productive at a coffee shop. Including a 10000x10000 image that makes the page
unusable, or replacing your logo with porn isn't exactly something you want,
even if it doesn't compromise anybody's bank account.

~~~
papsosouid
HTTP keepalives just means you only need to negotiate two extra SSL
connections instead of n (n being the number of images in the page). The
overhead of that is certainly noticeable. If there's no actual benefit, then
it shouldn't be in his list of "stuff you have to do (and nobody actually
does)".

~~~
praxulus
But for most websites, it is something you have to do. Ruining the layout of
your page is about as bad as any other DoS attack for most of the afflicted
users.

------
madaxe
I'll just leave this here... It's rather indicative of their general idea of
"Security". Stumbled across this a number of years ago, told them about it,
it's still wide open.

<http://www>. preprod.tescoentertainment. com/Store/Browse/Home/

