Eir fixes security flaw eight months after it was notified of issue

Flaw potentially allows cybercriminals to intercept customer data

The Eir flaw affects iPhone users, even if they have up to date security settings on their phone. Photograph: Nick Bradshaw
The Eir flaw affects iPhone users, even if they have up to date security settings on their phone. Photograph: Nick Bradshaw

Eir, one of the country’s largest telecoms companies, has fixed a major security flaw on its website which put customer data at risk, eight months after first being notified about it.

The issue meant cybercriminals could potentially intercept customers’ user names and passwords as they logged into their accounts on the Eir.ie website, using what is known as a “man in the middle” attack. This data could potentially be used to illicitly gain access to Eir.ie or other websites.

The flaw affects iPhone users, even if they have the most up to date security settings on their phone.

Dylan Fermoyle of Corrata, a cybersecurity company which first discovered the issue last year, said the flaw is particularly dangerous as it affects customers even if they take steps to ensure cybersecurity steps on their end.

READ MORE

The issue results from companies using misconfigured security settings which means users’ connections to the website are encrypted using out of date technology.

No action taken

Corrata alerted Eir.ie of the issue via email in early September 2021. However, no action was taken until this week when The Irish Times submitted queries to the telecoms company. This newspaper agreed to hold off publication of the issue for several days to allow Eir to address the flaw.

Last week a popular online server security testing tool gave Eir.ie an "F" security rating, mainly due to the presence of the flaw. This week that had improved to a "B". For comparison, the websites of Ireland's two other major mobile telecommunication companies, Three and Vodafone, received "B" and "A" rates respectively when tested.

In a statement, a spokesman for Eir said it is not aware of any customers being impacted by the issue. “Eir takes reports of any possible risks to data seriously and is committed to both upholding the highest digital security standards and ensuring the comprehensive protection of all of its customers.”

It said its security teams “were made aware of a security risk which was investigated” and that “follow-up investigations will continue to take place on all Eir subdomains”.

Corrata had previously detected the same issue on the website of the German newspaper Bild, one of the most visited sites in the world. Bild quickly resolved the issue when alerted, Mr Fermoyle said.

‘Regularly warned’

“The public are regularly warned about the dangers that exist online and this heightened awareness is fantastic; however some threats cannot be seen and a person can do everything right but still be vulnerable to attack,” he said.

“Websites that offer a user login can be particularly problematic as the credentials entered may be vulnerable to theft.

“Attackers can exploit these vulnerabilities in many ways including eavesdropping on your Internet connection, a real danger when using public wifi hotspots. These attacks often go unnoticed and can be the genesis of a larger attack.”

Conor Gallagher

Conor Gallagher

Conor Gallagher is Crime and Security Correspondent of The Irish Times