Possible vulnerability in Sainsbury's and Nectar website

In February, I discovered a potential vulnerability in the Sainsbury’s and Nectar website. Sainsbury’s is one of the UK’s main supermarkets, and Nectar is the loyalty card programme they own in partnership with a bunch of other retail brands like Argos, Esso and British Airways.

The vulnerability is not that exciting and I have no way to know whether it is possible to misuse it without breaking the Computer Misuse Act 1990, which I obviously don’t want to do. Disclosing possible unfixed vulnerabilities is not something anyone enjoys, but unfortunately it is sometimes the only way to get companies to actually deal with them.

The issue

Here’s how the possible vulnerability works.

1. Go to sainsburys.co.uk and log in with a Groceries account
2. Click ‘Nectar Card’ in the My Account section
3. Click ‘Link Nectar Account’
4. Click ‘Link Nectar Account’ on the next page.
5. At this point, you get taken to a page with the URL https://api.b.loyalty.nectar.com/oauth/authorize [followed by OAuth parameters]

On this page, there’s a field for “Nectar card number” and password.

If you fill in your Nectar card number, then put in the incorrect password three times, it blocks the account which requires a call to the Nectar card help line to unblock.

You can put in any card number you like and an obviously invalid password in order to do a denial of service attack on that card number. You could theoretically fire off thousands of requests to block lots of card numbers just by iterating over possible card numbers.

The best way to remediate this is to ensure that each IP is rate limited in the number of authentication requests they can do (and increasing that rate progressively so they can’t spam you with failed auth requests) and switching away from using numeric identifiers for login.

Disclosure: a sad tale

I contacted Sainsbury’s about this on February 12th. They do not have an email address for making these kinds of security disclosures. I had a fun conversation with them via Twitter DM.

Hello, I’m a software developer and Sainsbury’s customer. I have found a possible vulnerability in your website.

Could you tell me the correct email address to responsibly disclose a security vulnerability with your website?

I got this response.

Afternoon Tom, sorry to see you believe there’s a security vulnerability with the website but we appreciate you getting in touch to let us know about it. If you send over some more details about the issue, I’ll be sure to pass this onto the relevant team for internal review.

I’m absolutely not disclosing a vulnerability by Twitter DM. You have to be kidding me. I like having a paper chain thanks.

I would prefer to disclose the issue via email. Do you have an email address for this?

Obviously not.

We don’t have an email address, but we can help you with this here.

I finally ended up emailing it to privacy@sainsburys.co.uk which is the correct address for GDPR stuff rather than disclosure.

On March 6th, I gave them fair warning that I may publish a blog post at some point after March 14th and offering them any extra time needed to mitigate the issue and that I’d be happy to include any statement on whether they’ve mitigated or fixed the issue. I’ve heard nothing back.

This could mean it is fixed (although I doubt it). I checked today and the numeric login is still there. I haven’t tested whether it still behaves the same because life is too short to talk to their call center about getting my account reset again.

Timeline

• 2022-02-12: Possible vulnerability discovered, made attempt at contact
• 2022-02-14: Emailed both privacy@ and press office, disclosed via email.
• 2022-03-06: Chased up via privacy@ warning that possible vulnerability may be disclosed publicly after 2022-03-14.
• 2022-03-16: Vulnerability made public.