Sainsbury's slips up with credit card flaw

As Sainsbury's gears up to go head-to-head with Tesco in the online shopping market, its new website has fallen foul of one of the most basic security procedures.

The supermarket giant hopes the imminent launch of its new site, Sainsbury's To You, will help it win back online shoppers from runaway leader Tesco.com.

But it has run into trouble after a design flaw in its live pilot site exposed customer credit card details.

silicon.com reader Nigel Beaumont found the fault when he checked his account details online. After logging out he re-accessed his account by simply using the 'back' button on his web browser. The system did not prompt him to re-enter his password.

Beaumont's complaint to customer services drew the response: "I would recommend that after using the site, you close the browser window you are using, as this will mean that it is not possible to view the pages you have been visiting.

"I would recommend this action for any site where you are providing personal details as many secure sites also operate in this way."

But according to Gunter Ollmann, principal consultant at security firm ISS, closing the browser should not be treated as a security panacea, particularly on shared computers or in internet cafes.

"You should be closing down the browser after entering secure details, but even then it may not purge the information, depending on the browser and network configuration," Ollmann told silicon.com.

"To be secure it really needs to come from the server end," he added.

According to Ollmann, the development team at Sainsbury's could easily rectify the problem by defining that the secure page remain uncached, or adding a Java script to clear the page. "It's about half an hour's work," he said.

A spokesman for Sainsbury's said the site was still in its testing phase before being officially launched in a few weeks' time, but was unable to comment further.