New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OBR budget forecast leak due to WordPress plugin with known vulnerability
Thought this was quite interesting, especially towards the end where it's apparent that it wasn't a simple mistake of accidentally uploading the document early, but using a plugin that generated predictable URLs - and knowing about the vulnerability and doing nothing about it.
https://www.bbc.co.uk/news/articles/cd74v35p77jo
(For context this relates to the UK leak hours before the budget, the leak contained all the forecasts that were used to show the budget was economically viable, but from which the contents of the budget could be guessed - which is significant because people could make money trading on this knowledge before it was public)
Thanked by 1JohnnySac
Comments
I am genuinely surprised how many government websites use backyard technology. Half of Australia's govrenment websites use Wordpress and, on at least one occasion, I saw a web hosting account not get renewed so official .gov.au address went to a nasty "your service has expired" lander.
you got better options than wordpress if you are in that position?
Yes, but if you want to hear them, you'll need to pay me $96 million $80 million (LET discount) in consultancy fees.
Most government websites have such a painful approvals process for adding content that the chief advantage of a software like Wordpress, where you can easily add multiple authors, is quickly lost. At that point, just run a static website and get IT to upload your articles for you. Because that is what ends up happening anyway. !<
okay, i am sorry that your tax money been wasted, but Wordpress is innocent
Not to start a flamewar on accident but, no, Wordpress is not innocent. Wordpress is a crime against humanity. Firstly, because it uses PHP. Secondly, because it is an unholy abomination of legacy code that is about to become sentient and Skynet us all. It is completely unmaintainable, horrendous to customize, and not performant at all. Wordpress is a tool for the lazy. And a headache for the technical user because you eventually give up trying to do anything complex with it and write your own blog software.
Given its notorious reputation for security flaws, it should not be used in production by government or serious business. But, as I mentioned, it is a tool for the lazy.
yeah, WP is not perfect, but i believe it is the best you can find
or, you just name me the perfect one
Builds confidents with the national digital ID they be rolling out soon lol.
It's surprising to me that a state agency would trust WP, of all with sensitive data like that.
WordPress is a very popular platform. I don't believe it is its fault, nor PHP scripting language. Both have lasted the test of time and reliability.
The problem in this case is NOT Wordpress, nor PHP. The problem in this case was a lack of maintenance (updates and patches) combined with human error, even though this institution had access to government's money.
[...] there were two errors in the way in which they were set up on the publishing platform WordPress that effectively bypassed these controls.
One was to do with a plug-in (an optional extra) the OBR had installed, which had the unintended effect of bypassing the need to log in to access documents intended for future publication.
The second was the directory in which the file was put ahead of publication allowed anyone to download a file directly.
As one can see, it was not WordPress; it was just the way information was secured and handled.
Thanks for clarifying that. But, shouldn't state agencies be investing in their own homebrewed more-secure CMS than something available publicly?
WordPress plugins are notoriously sketchy and full of stupid vulnerabilities, so nobody should ever use them for serious hosting like governments etc.
The UK government suffered this massive embarrassment because the WP plugin they used was vulnerable to IDOR, (Insecure Direct Object Reference), which allowed journalists/hedge funds to guess the link and download the budget report early.
Presumably the plugin was configured to publish the report at a certain time, but if you can guess the link thanks to an IDOR vulnerability then it's available as soon as its set. And that's wholly unserious and unacceptable for an organisation with such a massive web development budget.
Exactly my concern. I guess WP in itself is more or less safe, with vulnerabilities being fixed in almost real time, since they have dedicated teams for that.
As for plugins, your observation is spot on. If not a custom CMS, UK Govt. Should have atleast spent on making a custom secure plugin when dealing with files which need to be extremely secure.
Pretty sure this would lead to repercussions in trh fin market, esp. capital.market
Exaggeration much?
Government websites should use plain old HTML and not use third party trackers
They could have also taken the plugin (if they liked it that much), then audit it and modify it using some programmers, to secure it and adjust it precisely to their needs.
Well it is a very torturous experience dealing with WordPress. I say that forcing me to use PHP in 2025 is very cruel and unusual, too. It is most definitely a genocide of my patience. And the amount of caffeine I need to consume to deal with it qualifies as a chemical weapon,
At the very least, this could have been done. I am not sure how programmers and web admins are hired in the UK. But, here, in India, it's much worse. They just outsource design of Govt. websites to private agencies who probably hand it over to some freelancer trying to make a quick buck. It's gotten a bit better over the last few years with the huge data leak and such being a wake up call, but, still, a lot more to go for these Govt. agencies to understand that they need actual experts who understand and breathe security.