Edinburgh Council

Finding

The landing page for the Edinburgh Council is servered over plain HTTP. This is vulnerable to Man in The Middle (MiTM) attacks. Since the login page to one's council account is served from this page, an attacker who has managed to get MiTM could change the link to point to a spoofed login page. Additionally an attacker could alter information delivered by the pages. Lastly the attacker could alter the page to inject malicious content such as crypto mining scripts.

Resolution

Issue still remains as of 19 December 2017.

Vendor Notification

The council was notified via their Twitter account, no response received:

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.