Categories: Channel News

‘Useless’ SSL Website Security Pushes TopCashback Into Action

Popular UK-based retail rebate provider TopCashback is scrambling to fix security flaws on its website, which could let any smart hacker get hold of a user’s information or even hijack their account.

Software architect and Microsoft most valued professional (MVP) Troy Hunt noted numerous faults in how TopCashback had implemented SSL, which encrypts traffic between the user and the website server, and that most people feel secure when they see HTTPS in the web addresses.

TopCashback not top SSL

The reason why it’s such a concern is that TopCashBack deals with rafts of financial data. If that can be pilfered by someone sitting on the same LAN as the user, using widely available tools, the victim could stand to lose money. And TopCashback isn’t some small-time player in the Internet retail market anymore. It has forged major deals with Tesco, which was also recently slammed for poor website security, and is attracting plenty of media attention from the personal finance press.

TopCashback’s business is to act as a portal for users who want a rebate on their online purchases. Retailers pay the company for referrals, just as they do with comparison sites, but some of that money is then passed on to customers.

As for the specific problems, Hunt pointed to the lack of HTTPS on the TopCashback registration form, which asks for the user’s name, email and password. Given web denizens often use the same login information for other websites, having this data sent in plain text could jeopardise more than just the TopCashback account they are setting up.

There was also mixed-mode HTTPS, Hunt said, where the page was requested over HTTPS but certain parts of the page were not covered, meaning some information users’ enter on that site could be pilfered. Those unprotected sections could also be manipulated to trick the user into handing over data.

Hunt also discovered authentication cookies were being sent over an unprotected connection. The worst that could happen would be that authentication cookies were sniffed, sessions hijacked, and any information the victim had access to while logged on is made available to the attacker.

TopCashback confirmed the company was working on various fixes, which should be implemented imminently.

This first appeared as two stories on TechWeekEurope UK. Read the whole story here

Eric Doyle

Eric is a veteran British tech journalist with expertise in security, the channel, and Britain's startup culture

Recent Posts

Flashpoint enters new chapter with global partner programme

Security vendor Flashpoint debuts partner programme following $28m funding

7 years ago

Channel partner “disconnect” hindering growth

Complex buying journeys and sprawling partner networks hampering customer experience, says Accenture

7 years ago

Cyxtera launches global channel partner programme

Datacentre provider Cyxtera says launch is “milestone in our go-to-market strategy”

7 years ago

US IT provider brings mainframe services to UK

Ensono highlights importance of mainframes still to major industries

7 years ago

VASCO and Nuvias expand distribution across EMEA

Security vendor VASCO looks to replicate UK and German set up across EMEA

7 years ago

Splunk says channel investments driving growth

Splunk details investment in Partner+ programme at .conf2017

7 years ago