alt Hacker NewsWordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]
Comments
The real kicker is in point 1.13:
> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication process was essentially technically unchanged from EFOs in the recent past. This gives rise to the question as to whether the problem was a pre-existing one that had gone unnoticed.
For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.
This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo
> It is the worst failure in the 15-year history of the OBR
I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...
Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...
So is the significance of this news based on what could have leaked if the document was not intended for the public? [1]
Or is the significance of this news based on the advantages that players on the market who caught hold of it early will have? Is it only important to civilians relative to their ability to question who may be benefitting from the 40 minute head start that these players might have gained or (for the conspiracy-minded) been handed through nefarious means?
[1]: Which would lead me to ask why would it belong on a platform typically intended for publishing things in public.
There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
I'm not clear from the doc which of these scenarios is what they're calling the "leak"
>During that period, it was accessed 43 times by 32 unique IP addresses
I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.
Quirk? Surely a bug?
I think you mean "no one got paid to vet the wordpress plugins"
Why are government organisations which handle sensitive information using Wordpress?
> The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access
That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.
I would also assume that the upload happened via Wordpress, and not someone manually uploading files via FTP/SFTP or something like that. And in that case it would be entirely non-obvious to users that attaching a file to an unpublished document would put it in a place where it is potentially publicly accessible.