Financial services company with insecure registration and login pages
What is the problem?
Licensed by the government of Jersey to operate a Tenancy Deposit Scheme, this website has multiple insecure pages which collect sensitive personal info and passwords from tenants via an insecure connection.
Curiously, the login page for landlords requires encryption for logging in, however tenant login pages do not. This is probably just a misconfiguration of the server as encryption is available, but is only selectively enforced.
Prior to public disclosure, notification about any privacy or security issues discovered were sent by email to the operator of this website on 4th September 2018, using either an email address publicly discoverable on the site, or the RFC 2142 standards compliant address "webmaster@..." if no public email address was provided.
At time of posting the issue had not yet been resolved.