The Irish State’s cybersecurity watchdog mistakenly included a Gript journalist in an internal email chain about a possible security flaw on an ESB website, this outlet can reveal.
This week, Gript discovered that the ESB PowerCheck website exposes a Google API key in its public code. This key, used to access Google services, was left openly visible, which can potentially pose a cybersecurity risk to websites in some contexts.
Initially this morning, when asked about the matter, an ESB spokesperson informed Gript that “ESB Networks can confirm that this has been fully checked by our IT teams and is not a security issue.”
However, later the same morning, after reaching out to the National Cyber Security Centre (NCSC) for comment, a Gript journalist was apparently accidentally added to an internal email chain wherein NCSC and ESB cybersecurity staff were discussing the matter amongst themselves.
In one email an NCSC staffer explained to his colleagues that the agency “couldn’t verify the security implications” of the key’s exposure, because this would require testing that they don’t have “permission” to do, and which “could pose risk to the website and the business owners.”
“Hi folks, just to clarify on the context here, we received a media query regarding the ESB PowerCheck website and they asked us for comment on whether an exposed website API key was a threat to the security of the website and its users,” said one member of the NCSC’s Computer Security Incident Response Team (CSIRT), who added “…We won’t be responding to the media query”.
“Without technical context we didn’t have any details around this and had to go looking,” the individual continued.
“We could see API keys on the front end of the site but exposed API keys do not necessarily represent a vulnerability. It has the potential depending on its use but without active scanning and pentesting we can’t verify this.”
The staffer added that “we couldn’t verify the security implications of the key’s exposure on the website, and that “if the disclosure does represent a security risk and does escalate to an incident we’d be interested in any findings you have on it to determine impact.”
During the same email thread an ESB cybersecurity staffer asked: “Could you please provide a contact in NSCS that we could reach out to if we have further questions?”
Gript has asked the Department of Communications, which the NCSC reports to, if they can provide a comment on the matter. That comment will be published in full if and when it is received.