Edinburgh Council

Finding

The landing page for the Edinburgh Council is servered over plain HTTP. This is vulnerable to Man in The Middle (MiTM) attacks. Since the login page to one's council account is served from this page, an attacker who has managed to get MiTM could change the link to point to a spoofed login page. Additionally an attacker could alter information delivered by the pages. Lastly the attacker could alter the page to inject malicious content such as crypto mining scripts.

Resolution

Issue still remains as of 19 December 2017.

Vendor Notification

The council was notified via their Twitter account, no response received:

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.