For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.
There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
I'm not clear from the doc which of these scenarios is what they're calling the "leak"
It sounds like a combination of the Download Monitor plugin plus a misconfiguration at the web server level resulted in the file being publicly accessible at that URL when the developers thought it would remain private until deliberately published.
> but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind
The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a public was bypassing that and aliasing the "clear" URL to the obfuscated one
> A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document.
WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)
The main issue is that there isn't any governance to the plugin store. Once you have a plugin in there, you have free reign to do whatever you want with it. Getting it in there is a PITA though. For example, a library author and I created a plugin, but they wouldn't let me submit it because I wasn't the other author, and they wouldn't let him submit it because he wasn't me. True story.
TBF there is some scrutiny on existing plugins, the team is just extremely understaffed (it’s ran by volunteers after all). I got involved in a plugin that ended up getting de-listed for some minor ToS violations after several years of being “fine”, they re-reviewed the plugin with the same rigor as a new submission.
> WordPress is a nice piece of software, but the plugin situation is getting worse and worse
The plugin situation is a mess largely because Wordpress isn't a nice piece of software.
It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.
To an outsider, its entire plugin ecosystem is so odd. Like the conversation about “nulled” plugins, where someone removes license-checking code from GPL-licensed plugins and then redistributes them, and whether that’s moral, or even legal, which of course it is, because that’s the entire point of the GPL.
For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.
This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo
>During that period, it was accessed 43 times by 32 unique IP addresses
I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.
There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
I'm not clear from the doc which of these scenarios is what they're calling the "leak"
It sounds like a combination of the Download Monitor plugin plus a misconfiguration at the web server level resulted in the file being publicly accessible at that URL when the developers thought it would remain private until deliberately published.
> but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind
The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a public was bypassing that and aliasing the "clear" URL to the obfuscated one
Why are government organisations which handle sensitive information using Wordpress?
There's not anything obviously wrong with using WordPress for publishing documents like this - they are meant to be public after all.
The problem was essentially that, through a misconfiguration, they published it early.
What was the quirk?
> A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document.
WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)
The main issue is that there isn't any governance to the plugin store. Once you have a plugin in there, you have free reign to do whatever you want with it. Getting it in there is a PITA though. For example, a library author and I created a plugin, but they wouldn't let me submit it because I wasn't the other author, and they wouldn't let him submit it because he wasn't me. True story.
TBF there is some scrutiny on existing plugins, the team is just extremely understaffed (it’s ran by volunteers after all). I got involved in a plugin that ended up getting de-listed for some minor ToS violations after several years of being “fine”, they re-reviewed the plugin with the same rigor as a new submission.
> WordPress is a nice piece of software, but the plugin situation is getting worse and worse
The plugin situation is a mess largely because Wordpress isn't a nice piece of software.
It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.
To an outsider, its entire plugin ecosystem is so odd. Like the conversation about “nulled” plugins, where someone removes license-checking code from GPL-licensed plugins and then redistributes them, and whether that’s moral, or even legal, which of course it is, because that’s the entire point of the GPL.
My favorite current plugin woe is where it completely changes what it does but keeps the same name and it's all a part of its 'update'
> which provided a link to the live version
Even if that is the case, the backend must validate.