[HN Gopher] WordPress plugin quirk resulted in UK Gov OBR Budget...
___________________________________________________________________
WordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]
Author : robtaylor
Score : 118 points
Date : 2025-12-01 15:00 UTC (8 hours ago)
(HTM) web link (obr.uk)
(TXT) w3m dump (obr.uk)
| kingkool68 wrote:
| What was the quirk?
| cstuder wrote:
| > A feature known as the Download Monitor plug-in created a
| webpage with the clear URL which provided a link to the live
| version, which bypassed the need for authentication. This
| rendered the protections on the 'future' function of WordPress
| redundant as it bypassed the required authentication needed to
| gain access to the pre-uploaded document.
|
| WordPress is a nice piece of software, but the plugin situation
| is getting worse and worse. (Too many pending updates, premium
| features and constant upselling, selling of plugins to new
| sketchy owners...)
| withinboredom wrote:
| The main issue is that there isn't any governance to the
| plugin store. Once you have a plugin in there, you have free
| reign to do whatever you want with it. Getting it in there is
| a PITA though. For example, a library author and I created a
| plugin, but they wouldn't let me submit it because I wasn't
| the other author, and they wouldn't let him submit it because
| he wasn't me. True story.
| kassner wrote:
| TBF there is some scrutiny on existing plugins, the team is
| just extremely understaffed (it's ran by volunteers after
| all). I got involved in a plugin that ended up getting de-
| listed for some minor ToS violations after several years of
| being "fine", they re-reviewed the plugin with the same
| rigor as a new submission.
| chuckadams wrote:
| Kudos to these volunteers, but as long as one single
| company continues to insist on owning all the resources
| of the plugin and theme directories, I don't think they
| deserve to continue profiting from volunteer labor.
| RobotToaster wrote:
| There's also the fact that Matt Mullenweg (the guy who owns
| automattic) has made hostile takeovers of plugin pages
| before
| devnull3 wrote:
| > which provided a link to the live version
|
| Even if that is the case, the backend must validate.
| whycome wrote:
| My favorite current plugin woe is where it completely changes
| what it does but keeps the same name and it's all a part of
| its 'update'
| chippiewill wrote:
| > WordPress is a nice piece of software, but the plugin
| situation is getting worse and worse
|
| The plugin situation is a mess largely because Wordpress
| isn't a nice piece of software.
|
| It's popular, and functionally it's great, but the codebase
| is really showing its age. Wordpress has never properly
| rearchitected because it would break plugins on a scale that
| would endanger its dominance.
| pessimizer wrote:
| > the codebase is really showing its age.
|
| It's not age, it started very, very bad. If they'd fixed
| the horrible schema and the code a decade and a half ago,
| plugins would have been a lot easier to write (and a lot
| safer.)
| ollybee wrote:
| There's a whole industry of people selling solutions to
| WordPress's failings, all of whom have strong incentives
| for it not be properly improved.
| kstrauser wrote:
| To an outsider, its entire plugin ecosystem is so odd. Like
| the conversation about "nulled" plugins, where someone
| removes license-checking code from GPL-licensed plugins and
| then redistributes them, and whether that's moral, or even
| legal, which of course it is, because that's the entire point
| of the GPL.
| merrvk wrote:
| Why are government organisations which handle sensitive
| information using Wordpress?
| jamesbelchamber wrote:
| There's not anything obviously wrong with using WordPress for
| publishing documents like this - they are meant to be public
| after all.
|
| The problem was essentially that, through a misconfiguration,
| they published it early.
| bell-cot wrote:
| In huge org's, doing computer-related stuff the "right" way
| often involves so many meetings, sign-offs, and miles of red
| tape that your grandchildren would die of old age before
| anything actually got done.
|
| Vs. if you just let Will and Pete do it in WordPress (or on
| Facebook, or such) then needed tasks might actually be
| accomplished.
| tolerance wrote:
| This is a reasonable question. I mean yeah it's supposed to be
| made public anyway, but evidently there is a non-trivial amount
| of interest invested in its contents by people who don't
| usually qualify when we think of "the public". Otherwise what
| would be the big deal?
|
| My guess is that the team responsible for this didn't
| anticipate or at worst were not informed of its value to
| particular groups of people, at least not to a degree that
| would've warranted extra security measures.
| tantalor wrote:
| It's not sensitive information. It's public information.
| merrvk wrote:
| Before it's been released I would consider it sensitive for
| many reasons.
| Roscius wrote:
| "On the reason for the early publication, Prof Martin said it
| was related to the software the OBR chose to publish to its
| website, which was more suitable for a small or medium company
| than a major publication of critical market-sensitive data."
|
| Using WordPress plugins (with the exception of a limited sub-
| set) is like chewing gum you find on the sidewalk.
|
| A technical oversight fail at multiple levels.
| RobotToaster wrote:
| There's a UK government policy to try and use open source, they
| even have a github profile https://github.com/alphagov
| glenjamin wrote:
| There's a couple of passing mentions of Download Monitor, but
| also the timeline strongly implies that a specific source was
| simply guessing the URL of the PDF long before it was uploaded
|
| I'm not clear from the doc which of these scenarios is what
| they're calling the "leak"
| shawabawa3 wrote:
| > but also the timeline strongly implies that a specific source
| was simply guessing the URL of the PDF long before it was
| uploaded
|
| A bunch of people were scraping commonly used urls based on
| previous OBR reports, in order to report as soon as it was
| live, as it common with all things of this kind
|
| The mistake was that the URL should have been obfuscated, and
| only changed to the "clear" URL at publish time, but a plugin
| was bypassing that and aliasing the "clear" URL to the
| obfuscated one
| physicsguy wrote:
| > in order to report as soon as it was live
|
| We don't actually know that, it's just that the report did
| hit Reuters pretty swiftly.
| longwave wrote:
| It sounds like a combination of the Download Monitor plugin
| plus a misconfiguration at the web server level resulted in the
| file being publicly accessible at that URL when the developers
| thought it would remain private until deliberately published.
| dazc wrote:
| https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl...
| 5.pdf
|
| Not hard to guess really. Wouldn't they know this was likely
| and simply choose a less obvious file name?
| jonplackett wrote:
| Turn out, no. Not they would not.
| blurayfin wrote:
| https://www.pluginscore.com/plugins/download-monitor
| jamesbelchamber wrote:
| For those of you not closely following UK politics: the Office
| for Budget Responsibility (OBR) mistakenly published their
| Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-
| empting the announcements by the Chancellor.
|
| This is being treated as an incredibly big deal here:
| https://www.bbc.co.uk/news/articles/cd74v35p77jo
| hdgvhicv wrote:
| In the popular press it's been sidelined because it would
| distract from the continuous attacks on the chancellor
| louthy wrote:
| Yes, it's getting quite ridiculous now. Labour, for sure,
| have not done themselves any favours in their first 18 months
| in charge, but the level of attack and vitriol is exceptional
| and beyond any reasonable level.
|
| It makes me wonder what exactly is driving this.
| dboreham wrote:
| Money.
| mytailorisrich wrote:
| This is politics so attacks will always follow blunders on
| either side.
|
| In this case this is an extremely unpopular government to
| start with that increases taxes across the board while
| handing out more benefits and claiming that they had no
| choice because of the state of the public finances, and we
| learn that they possibly misled the public on that latter
| point. So, yes, in politics and especially British politics
| this means a riot against the Chancellor (who was also
| caught recently having let her house without the required
| legal licence, btw, after the [now former] Deputy PM was
| caught dodging taxes on the purchase of a second home...)
| because everyone "smells blood" but that's the game and
| it's not completely undeserved, either.
| physicsguy wrote:
| The fact that they were elected as a 'change' government
| and have barely done anything that really faces up to the
| scale of the challenge the country faces? If you're below
| the age of about 55, then the budget did absolutely nothing
| for you except put taxes up, and not even to improve
| services.
|
| I appreciate things time but so far the government have
| enormously walked back their planning reform proposals,
| which was one of their few pro-growth policies, and haven't
| really made any dent in anything else substantive. It's
| been pretty clear since even before the election that they
| didn't really have a plan, and they got a fairly light
| scrutiny through the campaign because the Tories were so
| appalling. Then since they got in they're just scrambling
| around looking fairly incompetent and the dearth of talent
| on the cabinet has been pretty plain to see as well.
| Largely I want Labour to succeed but they're not making it
| easy to like them.
| louthy wrote:
| I don't disagree with any of that, but the vitriol
| doesn't match the disappointment imho. Especially as
| they've done pretty well in other areas.
|
| I realise "it's the economy, stupid", but still it feels
| like outsized outrage.
| mytailorisrich wrote:
| The public do not see or agree that they have done well
| in any areas, hence their appallingly low popularity. And
| that was before this budget announcement.
|
| It does not take a crystal ball to understand that the
| British media, which are vitriolic on a good day, will
| have an absolute free-for-all. It's nothing new.
| qcnguy wrote:
| Starmer was already the most unpopular PM on record
| before the budget, and Labour's voting intention is the
| lowest it's ever been. It's just a really, really
| unpopular government so of course it gets a lot of
| attacks.
| exasperaited wrote:
| > The fact that they were elected as a 'change'
| government and have barely done anything that really
| faces up to the scale of the challenge the country faces?
|
| They have done a lot. But they haven't even stopped the
| runaway train yet. And the fundamental mistake they have
| made is not explaining to people clearly enough, during
| the election campaign, that it would take the first three
| years just to stop it.
|
| Then you have the absolutely shameful, racist,
| nihilistic, fact-free intervention of five MPs that the
| media thinks will run the country in future so they are
| getting ten times the airtime of anyone else.
| physicsguy wrote:
| > They have done a lot.
|
| I really don't agree. Look at the first year of 1997
| Labour:
|
| * Good Friday agreement signed and referendum *
| Introduction of Minimum Wage * Human Rights act
| introduced and passed * Scottish and Welsh devolution set
| out, Parliament voted on it, referendums passed * Bank of
| England independence
|
| A government coming into a mess of a country on a
| platform of change cannot just fiddle around with minor
| things, which is what many of the changes they have done,
| though positive, are. And at the same time, they've also
| wasted so much political capital on some really stupid
| things that it's hard to see where they can go from here.
| mytailorisrich wrote:
| Yes and I'd argue that this is because they have not been
| elected on merit but because the people rejected the
| Tories. I believe that Corbyn got more votes than
| Starmer!
|
| They have neither talents nor a plan. So far it seems
| that Starmer has picked policies to make him survive and
| he knows that this means placating power bases in the
| Labour party, not generally good policies for the
| country. Opinion polls are scathing.
| graemep wrote:
| I largely agree, expect I think my expectations were
| lower than yours to start with. The ruling class all
| think alike regardless of party.
|
| They have pushed ahead with the Tories Online Safety Act.
| Legislation I have looked at or that affect things I know
| about such as the Children's Wellbeing and Schools Act is
| terrible.
|
| There is a lot of smoke and mirrors. For example, if you
| assume the justification for the "mansion tax" is that
| people who own higher value properties should be taxed
| more, why does someone with a PS50m house not pay more
| than someone with a PS5m house? Its designed to hit the
| moderately wealthy but not the really rich.
| teamonkey wrote:
| Although I agree it should be proportional to value, a
| PS5M property puts you in the top 1% of property prices
| in the country. Even within London, it's also within the
| top 1% of all but the most expensive boroughs. The
| average home property sale in the UK is less than
| PS275,000.
|
| A tax on a PS5M home is not a tax on the moderately
| wealthy, it's a tax on the wealthy.
| toyg wrote:
| No, it's designed to maximize what they can raise without
| pissing off _too many_ voters. Even as it is, it 's going
| to raise barely half a billion pounds, which is
| relatively insignificant in a budget worth hundreds of
| billions; but it's something, and something they (think
| they) can sell to their core electorate as a bit of token
| redistribution, when in reality it's just a cash-raising
| exercise.
|
| If they'd targeted the really rich harder, it would have
| looked more consistent but would have probably raised
| even less (because, when a tax starts being significant,
| the really rich have the means to find ways to _avoid_
| it). As it is, it looks insignificant enough that the
| really wealthy will just pay it and move on.
| teamonkey wrote:
| They have done a lot of sensible, boring things that are
| objectively positive but are going largely going
| unnoticed (plus of course a few massive footguns that
| make the headlines).
|
| I keep recommending r/GoodNewsUK on Reddit. It's often
| just a lot of press releases and government
| announcements, but there seem to be a continual stream of
| them, and it's hard to hear about them by any other
| source.
| RobotToaster wrote:
| They were elected with 33% of the vote thanks to our FPTP
| system, the lowest in history. They were unpopular when
| they were elected and have done nothing to change that.
| tantalor wrote:
| > which it blamed on a "technical error"
|
| It's not a technical error at all!
|
| Technical errors are faults caused by technology, like a
| software or hardware bug. That's not what happened here.
| WordPress behaved exactly as it was supposed to.
|
| The true cause is revealed later in the article,
|
| > staff thought they had applied safeguards to prevent early
| publication, there were two errors in the way in which they
| were set up
|
| The problem was the staff. It's a _human_ error.
| graemep wrote:
| A well designed system would reduce the risk of human error.
|
| Given the importance of keeping this information
| confidential, they really ought to have a custom system for
| releasing it, not just configuring a third party Wordpress
| plugin.
| chriswarbo wrote:
| I don't think that's a worthwhile distinction. All software
| bugs are human errors, since the machine is correctly
| following the human programmer's incorrect instructions;
| whether that's at the level of assembly instructing the CPU;
| or a higher level like Wordpress instructing the PHP
| interpreter; or an even higher level of a document hosting
| solution instructing Wordpress.
| diordiderot wrote:
| Eh, I think the distinction is broken tool vs improper use
| of the tool or in this case, the wrong tool all together
| _dain_ wrote:
| "Human error" is not the end of an explanation, it's the
| start of an explanation.
|
| As an industry we should know this by now. Defaults matter.
|
| https://www.humanfactors.lth.se/fileadmin/lusa/Sidney_Dekker.
| ..
| M2Ys4U wrote:
| >During that period, it was accessed 43 times by 32 unique IP
| addresses
|
| I find this an implausibly low number. It was all over Bluesky, X
| etc., not to mention journo Signal and WhatsApp groups.
| jamesbelchamber wrote:
| Possibly copies of the document rather than the original URL?
| logicchains wrote:
| Maybe it was cached somewhere and most people were hitting the
| cache?
| m4tthumphrey wrote:
| Either that number was wrong like you say OR (and I am
| unfamiliar with Bluesky) the URL is loaded via Bluesky's
| browser (like X) and therefore Bluesky's own server IP was used
| (instead of the user's).
|
| Edit: Or (and more likely) cached/copies of the original.
| reddalo wrote:
| I feel like those 32 unique IP addresses may very well be
| Cloudflare or CloudFront ones.
| ZoneZealot wrote:
| I agree, and I also am familiar with how WP Engine's 'GES'
| (global edge security) works. obr.uk points to two IP addresses
| held in the name of WP Engine, but they're actually BYOIP with
| Cloudflare. Cloudflare act as a caching layer, DDOS mitigation
| and WAF.
|
| Note that GES works a bit different to traditional Cloudflare
| implementations, HTML requests are basically passed through to
| the WP Engine NGINX reverse proxy server that's in front of the
| WordPress site (as opposed to being heavily cached with
| Cloudflare). Static assets, like a PDF - would indeed be cached
| with GES.
| fabian2k wrote:
| > The available mitigation is at server level and prevents access
| to download or file storage directories directly. If configured
| properly, this will block access to the clear URL and return a
| 'forbidden' message. This is the second contributory
| configuration error - the server was not configured in this way
| so there was nothing to stop access to the clear URL bypassing
| protections against pre-publication access
|
| That's the main flaw. Wordpress was configured to allow direct
| access to file, so they did not go through the authentication
| system. My experience is with Drupal (and a decade or more out of
| date), but it sounds like this behaves very similar. And this is
| a giant footgun, the system doesn't behave the way normal people
| expect if you allow unauthenticated access to files (if you know
| the URL). I don't understand why you would configure it this way
| today.
|
| I would also assume that the upload happened via Wordpress, and
| not someone manually uploading files via FTP/SFTP or something
| like that. And in that case it would be entirely non-obvious to
| users that attaching a file to an unpublished document would put
| it in a place where it is potentially publicly accessible.
| snowwrestler wrote:
| Since at least Drupal 7, the core CMS has included the concept
| of "private files." The files are stored in a directory that is
| not served publicly by the web server. Instead the CMS
| generates a proxy URL for each file, which is handled by the
| CMS like a page URL before serving the file by streaming it
| through PHP. So: it's a heavier load on the server, but you get
| full permission management by the CMS.
|
| Wordpress does not have this in core--no surprise. I was
| surprised to find that it's not even available as a community
| plugin. I had to pay a developer to write a custom plugin when
| building a members-only website in Wordpress.
|
| Some folks downplayed the risk of someone finding and directly
| accessing the file URL if it wasn't referenced on a public
| page. It's crazy to see it created a national government
| incident in the UK.
| Y-bar wrote:
| > I was surprised to find that it's not even available as a
| community plugin.
|
| I found this one https://wordpress.org/plugins/prevent-
| direct-access/
| fabian2k wrote:
| That's even worse than I thought. I assumed it is a setting
| like in Drupal.
|
| To me it really doesn't make any sense to have that kind of
| giant hole in your permissions system from the start.
| londons_explore wrote:
| > It is the worst failure in the 15-year history of the OBR
|
| I'm not sure publishing some information 3 hours early was really
| their biggest failure in 15 years...
|
| Especially when much of the info was already public because
| hundreds of civil servants involved in making these decisions
| told their family members who told the press...
| afavour wrote:
| It's still a failure in principle. The effects of this
| particular instance of the failure were minimal but it was
| still an accidental leak of (at the time) private information.
| They just got lucky.
| blibble wrote:
| > The effects of this particular instance of the failure were
| minimal
|
| the effects are not minimal
|
| if you're crooked: getting this sort of information early is
| potentially extremely lucrative
|
| (why crooked? because trading on UPSI is illegal)
| mytailorisrich wrote:
| Surely it was no longer UPSI (Unpublished Price Sensitive
| Information) after the OBR _published_ it?
| kstrauser wrote:
| I agree. They didn't _intend_ to publish it, but they
| _did_ publish it. They might not have advertised its
| presence yet, but it was freely available to anyone who
| asked.
| blibble wrote:
| I wouldn't be betting my freedom on the regulator
| agreeing with that logic
|
| the regulations specifically go into great detail about
| official publications and formal circulation
|
| would a reasonable person consider this a leak? then it's
| UPSI
| mytailorisrich wrote:
| The OBR admits that they published it too early.
|
| I am not an expert but I think that even trading on a
| leak is not unlawful as long as that leaked information
| was indeed made _public_ (e.g. someone leaks to the media
| and the media then publish it), although it may have been
| unlawful to leak the information. The point is that
| insider trading is not allowed. It is no insider trading
| if the information is available to everyone.
| blibble wrote:
| > I am not an expert
|
| I have had regulatory training on this exact matter, and
| it covers unintended leaks explicitly
|
| and there is no way I would trade
|
| > The point is that insider trading is not allowed. It is
| no insider trading if the information is available to
| everyone.
|
| no, it isn't the point
|
| the regulator cares that participants are seen to be
| clean, practicing "fit and proper" behaviour
|
| if a reasonable person would think it was dodgy, they'll
| have your head (and your certification to practice)
|
| regardless of whether or not it was illegal
| mytailorisrich wrote:
| Yes, I have had the corporate training on leaks and
| insider trading, too...
|
| Trading on public information is fit and proper (Edit:
| Indeed, a technical term, but that does not make my
| statement incorrect, or does it?)
|
| I think you may have skipped the part of leak _to whom_.
| If it is a leak to _you_ then it is still not public and
| indeed insider trading. But if leaked to the public then
| it is different (and also how do you prevent people from
| trading on what they see in the media?)
|
| But that's in general as in this case, the OBR admits
| they released it and, again, anyway once it's on BBC News
| it's free for all.
| blibble wrote:
| > Yes, I have had the corporate training on leaks and
| insider trading, too...
|
| by a regulated investment firm? specifically on UPSI?
|
| "fit and proper" is a technical term in the FCA manual
|
| I would not risk my regulator not considering me as such
| by trading on this information
|
| if you would: provide your reference number, and we can
| ask them if they agree!
| mytailorisrich wrote:
| Well if you are an expert that's great as you will be
| able to explain how using a leak to the public and/or
| something that is public information can be construed as
| improper. That was my previous point and question.
| almostkindatech wrote:
| If by 'much of the info' you mean policy changes, those are
| deliberately leaked by the politicians, not civil servants or
| their family members. They do this to test reactions and frame
| the debate.
| TheRealPomax wrote:
| I think you mean "no one got paid to vet the wordpress plugins"
| gnfargbl wrote:
| The real kicker is in point 1.13:
|
| > website activity logs show the earliest request on the server
| for the URL
| https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl....
| This request was unsuccessful, as the document had not been
| uploaded yet. Between this time and 11:30, a total of 44
| unsuccessful requests to this URL were made from seven unique IP
| addresses.
|
| In other words, someone was guessing the correct staging URL
| _before the OBR had even uploaded the file to the staging area_.
| This suggests that the downloader _knew_ that the OBR was going
| to make this mistake, and they were polling the server waiting
| for the file to appear.
|
| The report acknowledges this at 2.11:
|
| > In the course of reviewing last week's events, it has become
| clear that the OBR publication process was essentially
| technically unchanged from EFOs in the recent past. This gives
| rise to the question as to whether the problem was a pre-existing
| one that had gone unnoticed.
| rahimnathwani wrote:
| The report also says a previous report was also accessed 30
| mins early.
| philipwhiuk wrote:
| > In other words, someone was guessing the correct staging URL
| before the OBR had even uploaded the file to the staging area.
| This suggests that the downloader knew that the OBR was going
| to make this mistake, and they were polling the server waiting
| for the file to appear.
|
| The URLS are predictable. Hedge-funds would want to get the
| file as soon as it would be available - I imagine someone set
| up a cron-job to try the URL every few minutes.
| kypro wrote:
| This is so incompetent.
|
| Given the market significance of the report it's damn obvious
| that this would happen. They should have assumed that
| security via obscurity was simply not enough, and the OBR
| should have been taking active steps to ensure the data was
| only available at the correct time.
|
| > Hedge-funds would want to get the file as soon as it would
| be available - I imagine someone set up a cron-job to try the
| URL every few minutes.
|
| It's not even just hedge-funds that do this. This is
| something individual traders do frequently. This practise is
| common place because a small edge like this with the right
| strategy is all you need to make serious profits.
| stuaxo wrote:
| This setup was not initially approved, see 1.7 in the
| document:
|
| > 1.7 Unlike all other IT systems and services, the OBR's
| website is locally managed and outside the gov.uk network.
| This is the result of an exemption granted by the Cabinet
| Office in 2013. After initially rejecting an exemption
| request, the Cabinet Office judged that the OBR should be
| granted an exemption from gov.uk in order to meet the
| requirements of the Budget Responsibility and National
| Audit Act. The case for exemption that the OBR made at the
| time centred on the need for both real and perceived
| independence from the Treasury in the production and
| delivery of forecasts and other analysis, in particular in
| relation to the need to publish information at the right
| time.
| Maxious wrote:
| Gov.uk does not use some random wordpress plugin to
| protect information of national significance, doco at htt
| ps://docs.publishing.service.gov.uk/repos/whitehall/asset
| ...
| mjw1007 wrote:
| They weren't in any way attempting to rely on security by
| obscurity.
|
| They didn't assume nobody would guess the URL.
|
| They did take active steps to ensure the data was only
| available at the correct time.
|
| But they didn't check that their access control was
| working, and it wasn't.
| blitzar wrote:
| I used to do this for BOE / Fed minutes, company earnings etc
| on the off chance they published it before the official
| release time.
|
| 2025-Q1-earnings.pdf - smash it every 5 seconds - rarely
| worked out, generally a few seconds head start at best. By
| the time you pull up the pdf and parse the number from it the
| number was on the wires anyway. Very occasionally you get a
| better result however.
| lesuorac wrote:
| > This suggests that the downloader knew that the OBR was going
| to make this mistake, and they were polling the server waiting
| for the file to appear.
|
| I think most of the tech world heard about the Nobel Peace
| Prize award so it doesn't seem that suspicious to me that
| somebody would just poll urls.
|
| Especially since before the peace prize there have been issues
| with people polling US economic data.
|
| My point is strictly, knowledge that they should poll a url is
| not evidence of insider activity.
| accoil wrote:
| How does the Nobel Peace Prize figure into this? I seem to be
| on the other side that didn't hear about the award. Which is
| not surprising as I don't follow it, but also I haven't
| worked out query terms to connect it with OBR.
| jjmarr wrote:
| Because it was insider traded on Polymarket many hours
| before it was publicly announced.
| kristianc wrote:
| Part of this is a product of the UK's political culture where
| expenses for stuff like this are ruthlessly scrutinised from
| within and without.
|
| The idea of the site hosting such an important document running
| independently on WordPress, being maintained by a single
| external developer and a tiny in-house team would seem really
| strange to many other countries.
|
| Everyone is so terrified of headlines like "OBR spends PS2m
| upgrading website" that you get stuff like this.
| toyg wrote:
| It's not an easy call. Sometimes, one or two dedicated and
| competent people can vastly outperform large and bureaucratic
| consulting firms, for a fraction of the price. And sometimes,
| somebody's cousin "who knows that internet stuff" is
| trousering inflated rates at the taxpayer's expense, while
| credentialed and competent professionals are shut out from
| old boys' networks. One rule does not fit all.
| kristianc wrote:
| It would work if old boys' networks were not the de facto
| pool that the establishment hired from. The one time where
| UK GOV did go out and hire the best of the best in the
| private sector regardless of what Uni they went to we got
| GDS and it worked very well, but it seems like an exception
| to usual practice.
| dboreham wrote:
| Quirk? Surely a bug?
| philipwhiuk wrote:
| It's not a bug if it's the expected behaviour
| bitlevel wrote:
| It's not a bug - it's a feature.
| tolerance wrote:
| So is the significance of this news based on what _could_ have
| leaked if the document was not intended for the public? [1]
|
| Or is the significance of this news based on the advantages that
| players on the market who caught hold of it early will have? Is
| it only important to civilians relative to their ability to
| question who may be benefitting from the 40 minute head start
| that these players might have gained or (for the conspiracy-
| minded) _been handed_ through nefarious means?
|
| [1]: Which would lead me to ask why would it belong on a platform
| typically intended for publishing things in public.
| macleginn wrote:
| Interestingly, the public discourse in the UK (at least what I
| have observed, and it was hard not to observe a lot in the last
| several days) does not focus much (if at all) on the insider
| trading angle. It's mostly that the chancellor has this
| important duty to first announce the new budget beofre the
| Parliament, and if this course of events gets distorted this is
| very bad for the proper procedure. Now, the sole purpose of OBR
| is to ensure the proper procedure, so very silly (or "damning")
| of them to make such a mistake.
|
| At the same time, almost every piece of legislation in recent
| years has been relentlessly leaked and taken apart way before
| the official announcement in parliament, so this is a wee bit
| ridiculous.
| jonplackett wrote:
| It's just about incompetence really. The budget is meant to be
| highly secret. And they accidentally published their report
| early. Which would let some people benefit from in financially,
| but it's also just very embarrassing for a government.
| Sometimes budgets contain info that is more valuable than this.
| varispeed wrote:
| They didn't suffer a breach; they published a market-moving PDF
| early because they put it on a public WordPress server at a
| predictable URL with no access control, then acted shocked when
| someone typed it into a browser. The report dresses this up in
| solemn language about "pre-publication facilities" and
| "configuration errors", but the reality is negligent basics: no
| authentication, no server-level blocking, blind faith in a plugin
| they didn't understand, and not one person running the obvious
| test of guessing the URL before go-live. Their claim of
| "independence" just meant running the most sensitive part of
| their job on an underpowered, misconfigured website while
| assuming everything else would magically hold together. This
| wasn't a cyber incident. It was institutional incompetence
| wearing a suit.
| jonplackett wrote:
| But but but they 'have a limited budget' (repeated multiple
| times for effect in the article)
| blitzar wrote:
| ~PS4mil budget and 50 staff
| chuckreynolds wrote:
| "WordPress plugin quirk" AKA human error (as usual).
| tonyedgecombe wrote:
| Yes, the human error was using WordPress.
| petit_robert wrote:
| I had to laugh out loud at this (by myself).
|
| The amount of requests I get on my servers for WP related
| files is insane
| rvz wrote:
| What the f____?
|
| The contents of market sensitive information critical to the
| finances of the entire country is behind stored on a damn
| vulnerable Wordpress server.
|
| It's not even accidental access or a premature push of the button
| to release the document, but the site was regularly breached
| _over and over and over_ again likely for insider trading ahead
| of the budget.
|
| Might as well store the UK nuclear key codes on a large bright
| yellow Post-It note in Piccadilly Circus.
|
| What a complete joke on the lack of basic security.
| pentagrama wrote:
| Ok, it was the Download Monitor plugin.
|
| But I still have a few questions. What is WordPress's default
| behavior? Does it prevent files uploaded to the media library
| from having public URLs? Are they only public once they are
| inserted into a published post? Images make sense because they
| are embedded, but what about a PDF linked inside a post? My
| understanding is that media files become publicly accessible as
| soon as they are uploaded, as long as someone knows or guesses
| the URL. I mean, the leak could have happened even without the
| plugin?
| kingkool68 wrote:
| Correct. Files uploaded get stored in the wp-content/uploads
| folder and are public.
| froobius wrote:
| And the news just now is that the chair of the OBR has resigned
| because of this [1]
|
| [1] https://www.bbc.co.uk/news/live/cly147rky81t
| almostkindatech wrote:
| And now the chair of the OBR has had to resign over it
| https://www.theguardian.com/politics/live/2025/dec/01/keir-s...
| hombre_fatal wrote:
| This doesn't seem to have much to do with Wordpress or its plugin
| ecosystem but rather an oversight since the behavior itself isn't
| necessarily a bug. I think the "well yeah, why would you use
| Wordpress?" comments kinda miss that.
|
| It's a ubiquitous practice to serve file uploads from a place
| outside of webserver middleware. This happens pretty much any
| time an upload permalink is on a different domain or subdomain,
| and it's standard on probably 90% of platforms.
|
| Discord and Twitter file upload urls would be an example off the
| top of my head.
|
| It would have been prevented if the public url used a random
| UUID, for example. But that's also not the behavior users
| necessarily want for most uploads.
| hexbin010 wrote:
| Should have used S3 and a datetime-based access policy. Eg
| { "Version": "2012-10-17", "Statement": [
| { "Sid": "Statement1", "Effect": "Allow",
| "Action": [ "s3:GetObject" ],
| "Resource": "arn:aws:s3:::obr-leaky-bucket/myfirst.pdf",
| "Condition": { "DateGreaterThan": {
| "aws:CurrentTime": "2025-11-26T12:30:00" }
| } } ] }
| saaaaaam wrote:
| The log of events in that document is absolutely
| hilarious/pitiful. It's like something lifted directly from an
| episode of In The Thick Of It.
|
| A honest-to-goodness proper fucking omnishambles.
|
| 11:52 - senior OBR and Treasury officials telephoned each other
| to discuss the breach. These Treasury officials made OBR staff
| aware of the URL leading to the PDF of the EFO that was
| accessible.
|
| 11:53 - OBR staff and the web developer attempted to pull the PDF
| from the website, and also to pull the entire website (e.g. via
| password protection), but struggled to do so initially due to the
| website being overloaded with traffic.
|
| 11:58 - an email was received to the OBR press inbox from a
| Reuters journalist confirming that Reuters had published details
| of the EFO and asking for comment.
|
| 12:07 - the EFO PDF was renamed by the web developer.
|
| 12:07 - the EFO PDF appeared on the Internet Archive. This means
| it was, at that precise time, visible entirely generally on the
| open internet via search engines. It is assumed that this
| happened very briefly in the rush to remove it.
| khaki54 wrote:
| If you've ever looked at the admin panel of even a minor league,
| single page Wordpress site you'd probably recognize it as a major
| risk for any organization instantly. So many of the plugins look
| like spaghetti, with most you're trusting some random name to not
| be malicious. Unsurprisingly there are 60,000 CVE related to WP.
| I get that we all use a dozen node packages that we can't
| reasonably verify, but WP seems so much more wild west than that.
| I guess i's fine if you are a low value target, but a commercial
| CMS is not terribly expensive, and should be mandatory for any
| government org.
| iamcreasy wrote:
| > 11:53 - OBR staff and the web developer attempted to pull the
| PDF from the website,and also to pull the entire website (e.g.
| via password protection), but struggled to doso initially due to
| the website being overloaded with traffic
|
| This one is painful to read. What was their option here? Calling
| WP Engine to take it offline?
___________________________________________________________________
(page generated 2025-12-01 23:01 UTC)