FRESH

Hacker News

Home

WordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]

130 points by robtaylor

by gnfargbl

4 subcomments

The real kicker is in point 1.13:
> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication process was essentially technically unchanged from EFOs in the recent past. This gives rise to the question as to whether the problem was a pre-existing one that had gone unnoticed.

by jamesbelchamber

3 subcomments

For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.
This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo

by fabian2k

1 subcomments

> The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access
That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.
I would also assume that the upload happened via Wordpress, and not someone manually uploading files via FTP/SFTP or something like that. And in that case it would be entirely non-obvious to users that attaching a file to an unpublished document would put it in a place where it is potentially publicly accessible.

by londons_explore

2 subcomments

> It is the worst failure in the 15-year history of the OBR
I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...
Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...

by glenjamin

4 subcomments

There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
I'm not clear from the doc which of these scenarios is what they're calling the "leak"

by hombre_fatal

0 subcomment

This doesn't seem to have much to do with Wordpress or its plugin ecosystem but rather an oversight since the behavior itself isn't necessarily a bug. I think the "well yeah, why would you use Wordpress?" comments kinda miss that.
It's a ubiquitous practice to serve file uploads from a place outside of webserver middleware. This happens pretty much any time an upload permalink is on a different domain or subdomain, and it's standard on probably 90% of platforms.
Discord and Twitter file upload urls would be an example off the top of my head.
It would have been prevented if the public url used a random UUID, for example. But that's also not the behavior users necessarily want for most uploads.

by khaki54

0 subcomment

If you've ever looked at the admin panel of even a minor league, single page Wordpress site you'd probably recognize it as a major risk for any organization instantly. So many of the plugins look like spaghetti, with most you're trusting some random name to not be malicious. Unsurprisingly there are 60,000 CVE related to WP. I get that we all use a dozen node packages that we can't reasonably verify, but WP seems so much more wild west than that. I guess i's fine if you are a low value target, but a commercial CMS is not terribly expensive, and should be mandatory for any government org.

by merrvk

6 subcomments

Why are government organisations which handle sensitive information using Wordpress?

by pentagrama

1 subcomments

Ok, it was the Download Monitor plugin.
But I still have a few questions. What is WordPress’s default behavior? Does it prevent files uploaded to the media library from having public URLs? Are they only public once they are inserted into a published post? Images make sense because they are embedded, but what about a PDF linked inside a post? My understanding is that media files become publicly accessible as soon as they are uploaded, as long as someone knows or guesses the URL. I mean, the leak could have happened even without the plugin?

by chuckreynolds

1 subcomments

"WordPress plugin quirk" AKA human error (as usual).

by iamcreasy

0 subcomment

> 11:53 – OBR staff and the web developer attempted to pull the PDF from the website,and also to pull the entire website (e.g. via password protection), but struggled to doso initially due to the website being overloaded with traffic
This one is painful to read. What was their option here? Calling WP Engine to take it offline?

by almostkindatech

0 subcomment

And now the chair of the OBR has had to resign over it https://www.theguardian.com/politics/live/2025/dec/01/keir-s...

by M2Ys4U

5 subcomments

>During that period, it was accessed 43 times by 32 unique IP addresses
I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.

by varispeed

1 subcomments

They didn’t suffer a breach; they published a market-moving PDF early because they put it on a public WordPress server at a predictable URL with no access control, then acted shocked when someone typed it into a browser. The report dresses this up in solemn language about “pre-publication facilities” and “configuration errors”, but the reality is negligent basics: no authentication, no server-level blocking, blind faith in a plugin they didn’t understand, and not one person running the obvious test of guessing the URL before go-live. Their claim of “independence” just meant running the most sensitive part of their job on an underpowered, misconfigured website while assuming everything else would magically hold together. This wasn’t a cyber incident. It was institutional incompetence wearing a suit.

by TheRealPomax

0 subcomment

I think you mean "no one got paid to vet the wordpress plugins"

by saaaaaam

0 subcomment

The log of events in that document is absolutely hilarious/pitiful. It’s like something lifted directly from an episode of In The Thick Of It.
A honest-to-goodness proper fucking omnishambles.
11:52 - senior OBR and Treasury officials telephoned each other to discuss the breach. These Treasury officials made OBR staff aware of the URL leading to the PDF of the EFO that was accessible.
11:53 - OBR staff and the web developer attempted to pull the PDF from the website, and also to pull the entire website (e.g. via password protection), but struggled to do so initially due to the website being overloaded with traffic.
11:58 - an email was received to the OBR press inbox from a Reuters journalist confirming that Reuters had published details of the EFO and asking for comment.
12:07 - the EFO PDF was renamed by the web developer.
12:07 - the EFO PDF appeared on the Internet Archive. This means it was, at that precise time, visible entirely generally on the open internet via search engines. It is assumed that this happened very briefly in the rush to remove it.

by kingkool68

1 subcomments

What was the quirk?

by froobius

0 subcomment

And the news just now is that the chair of the OBR has resigned because of this [1]
[1] https://www.bbc.co.uk/news/live/cly147rky81t

by tolerance

2 subcomments

So is the significance of this news based on what could have leaked if the document was not intended for the public? [1]
Or is the significance of this news based on the advantages that players on the market who caught hold of it early will have? Is it only important to civilians relative to their ability to question who may be benefitting from the 40 minute head start that these players might have gained or (for the conspiracy-minded) been handed through nefarious means?
[1]: Which would lead me to ask why would it belong on a platform typically intended for publishing things in public.

by hexbin010

1 subcomments

Should have used S3 and a datetime-based access policy. Eg

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "Statement1",
        "Effect": "Allow",
        "Action": [
          "s3:GetObject"
        ],
        "Resource": "arn:aws:s3:::obr-leaky-bucket/myfirst.pdf",
        "Condition": {
          "DateGreaterThan": {
            "aws:CurrentTime": "2025-11-26T12:30:00"
          }
        }
       }
    ]
  }

by dboreham

1 subcomments

Quirk? Surely a bug?

by rvz

0 subcomment

What the f____?
The contents of market sensitive information critical to the finances of the entire country is behind stored on a damn vulnerable Wordpress server.
It's not even accidental access or a premature push of the button to release the document, but the site was regularly breached over and over and over again likely for insider trading ahead of the budget.
Might as well store the UK nuclear key codes on a large bright yellow Post-It note in Piccadilly Circus.
What a complete joke on the lack of basic security.

by cristianraiber

0 subcomment

[dead]