Sean Wright


Personal blog of app security guy, blogging about application security related topics, focused primarily on web based applications.

Sean Wright

Edinburgh Council

19th December 2017

Finding

The landing page for the Edinburgh Council is servered over plain HTTP. This is vulnerable to Man in The Middle (MiTM) attacks. Since the login page to one's council account is served from this page, an attacker who has managed to get MiTM could change the link to point to a spoofed login page. Additionally an attacker could alter information delivered by the pages. Lastly the attacker could alter the page to inject malicious content such as crypto mining scripts.

Resolution

Issue still remains as of 19 December 2017.

Vendor Notification

The council was notified via their Twitter account, no response received:

View Comments