WordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]
obr.uk130 points by robtaylor 2 days ago
130 points by robtaylor 2 days ago
The real kicker is in point 1.13:
> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication process was essentially technically unchanged from EFOs in the recent past. This gives rise to the question as to whether the problem was a pre-existing one that had gone unnoticed.
> In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
I used to do this for BOE / Fed minutes, company earnings etc on the off chance they published it before the official release time.
2025-Q1-earnings.pdf - smash it every 5 seconds - rarely worked out, generally a few seconds head start at best. By the time you pull up the pdf and parse the number from it the number was on the wires anyway. Very occasionally you get a better result however.
This is so incompetent.
Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.
> Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.
This setup was not initially approved, see 1.7 in the document:
> 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside the gov.uk network. This is the result of an exemption granted by the Cabinet Office in 2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR should be granted an exemption from gov.uk in order to meet the requirements of the Budget Responsibility and National Audit Act. The case for exemption that the OBR made at the time centred on the need for both real and perceived independence from the Treasury in the production and delivery of forecasts and other analysis, in particular in relation to the need to publish information at the right time.
Gov.uk does not use some random wordpress plugin to protect information of national significance, doco at https://docs.publishing.service.gov.uk/repos/whitehall/asset...
Part of this is a product of the UK's political culture where expenses for stuff like this are ruthlessly scrutinised from within and without.
The idea of the site hosting such an important document running independently on WordPress, being maintained by a single external developer and a tiny in-house team would seem really strange to many other countries.
Everyone is so terrified of headlines like "OBR spends £2m upgrading website" that you get stuff like this.
It's not an easy call. Sometimes, one or two dedicated and competent people can vastly outperform large and bureaucratic consulting firms, for a fraction of the price. And sometimes, somebody's cousin "who knows that internet stuff" is trousering inflated rates at the taxpayer's expense, while credentialed and competent professionals are shut out from old boys' networks. One rule does not fit all.
It would work if old boys' networks were not the de facto pool that the establishment hired from. The one time where UK GOV did go out and hire the best of the best in the private sector regardless of what Uni they went to we got GDS and it worked very well, but it seems like an exception to usual practice.
> This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
I think most of the tech world heard about the Nobel Peace Prize award so it doesn't seem that suspicious to me that somebody would just poll urls.
Especially since before the peace prize there have been issues with people polling US economic data.
My point is strictly, knowledge that they should poll a url is not evidence of insider activity.
How does the Nobel Peace Prize figure into this? I seem to be on the other side that didn't hear about the award. Which is not surprising as I don't follow it, but also I haven't worked out query terms to connect it with OBR.
Somebody monitored the metadata on files to figure out who the winner of the nobel prize was prior to the official announcements by the candidate that was modified. Which they used to financially profit in betting markets.
It relates to OBR because it's another scenario where people just by polling the site can figure out information that wasn't supposed to be released yet. And then use that information to profit.
Since a recent event of polling was in the news the idea of polling isn't really evidence of an insider trying to leak data versus somebody just cargo-culting a technique. Plus polling of financial data was already common.
Thank you for answering that person’s question so clearly. I was also in the dark and this really helped.
For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.
This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo
> which it blamed on a "technical error"
It's not a technical error at all!
Technical errors are faults caused by technology, like a software or hardware bug. That's not what happened here. WordPress behaved exactly as it was supposed to.
The true cause is revealed later in the article,
> staff thought they had applied safeguards to prevent early publication, there were two errors in the way in which they were set up
The problem was the staff. It's a human error.
I don't think that's a worthwhile distinction. All software bugs are human errors, since the machine is correctly following the human programmer's incorrect instructions; whether that's at the level of assembly instructing the CPU; or a higher level like Wordpress instructing the PHP interpreter; or an even higher level of a document hosting solution instructing Wordpress.
Eh, I think the distinction is broken tool vs improper use of the tool or in this case, the wrong tool all together
"Human error" is not the end of an explanation, it's the start of an explanation.
As an industry we should know this by now. Defaults matter.
https://www.humanfactors.lth.se/fileadmin/lusa/Sidney_Dekker...
In the popular press it’s been sidelined because it would distract from the continuous attacks on the chancellor
Yes, it’s getting quite ridiculous now. Labour, for sure, have not done themselves any favours in their first 18 months in charge, but the level of attack and vitriol is exceptional and beyond any reasonable level.
It makes me wonder what exactly is driving this.
The fact that they were elected as a 'change' government and have barely done anything that really faces up to the scale of the challenge the country faces? If you're below the age of about 55, then the budget did absolutely nothing for you except put taxes up, and not even to improve services.
I appreciate things time but so far the government have enormously walked back their planning reform proposals, which was one of their few pro-growth policies, and haven't really made any dent in anything else substantive. It's been pretty clear since even before the election that they didn't really have a plan, and they got a fairly light scrutiny through the campaign because the Tories were so appalling. Then since they got in they're just scrambling around looking fairly incompetent and the dearth of talent on the cabinet has been pretty plain to see as well. Largely I want Labour to succeed but they're not making it easy to like them.
They have done a lot of sensible, boring things that are objectively positive but are going largely going unnoticed (plus of course a few massive footguns that make the headlines).
I keep recommending r/GoodNewsUK on Reddit. It’s often just a lot of press releases and government announcements, but there seem to be a continual stream of them, and it’s hard to hear about them by any other source.
I largely agree, expect I think my expectations were lower than yours to start with. The ruling class all think alike regardless of party.
They have pushed ahead with the Tories Online Safety Act. Legislation I have looked at or that affect things I know about such as the Children's Wellbeing and Schools Act is terrible.
There is a lot of smoke and mirrors. For example, if you assume the justification for the "mansion tax" is that people who own higher value properties should be taxed more, why does someone with a £50m house not pay more than someone with a £5m house? Its designed to hit the moderately wealthy but not the really rich.
Although I agree it should be proportional to value, a £5M property puts you in the top 1% of property prices in the country. Even within London, it’s also within the top 1% of all but the most expensive boroughs. The average home property sale in the UK is less than £275,000.
A tax on a £5M home is not a tax on the moderately wealthy, it’s a tax on the wealthy.
No, it's designed to maximize what they can raise without pissing off too many voters. Even as it is, it's going to raise barely half a billion pounds, which is relatively insignificant in a budget worth hundreds of billions; but it's something, and something they (think they) can sell to their core electorate as a bit of token redistribution, when in reality it's just a cash-raising exercise.
If they'd targeted the really rich harder, it would have looked more consistent but would have probably raised even less (because, when a tax starts being significant, the really rich have the means to find ways to avoid it). As it is, it looks insignificant enough that the really wealthy will just pay it and move on.
> because, when a tax starts being significant, the really rich have the means to find ways to avoid it
Taxes on property are something they cannot avoid though.
One of the reasons the rich are able to find means to avoid taxes has always been government reluctance to stop them. There are many deliberate tax breaks for the rich - think of how long it took to get rid of non-dom status, so I really do not think the government has ever tried very hard to stop avoidance by the rich.
> Taxes on property are something they cannot avoid though.
Yeah, definitely nobody ever "avoided" stamp duty... /s
There are plenty of loopholes and corner cases, you just need skilled accountants and lawyers (companies registered abroad, etc etc). That's why there is legislation about "ultimate ownership" and such: authorities are increasingly desperate about being able to prove who owns what.
Starmer does not really care about not pissing off too many voters. He already has but he is also safe from them as the next election is far away. On the other hand, he is at risk, high risk, from his own party so he does what placates them. We've seen it before with private schools, now again with the 2-child cap, for instance.
I don’t disagree with any of that, but the vitriol doesn’t match the disappointment imho. Especially as they’ve done pretty well in other areas.
I realise “it’s the economy, stupid”, but still it feels like outsized outrage.
Starmer was already the most unpopular PM on record before the budget, and Labour's voting intention is the lowest it's ever been. It's just a really, really unpopular government so of course it gets a lot of attacks.
Well even at the GE, his party was less popular than the previous offer by Corbyn. Labour only really got in because of the collapse of the Tory vote.
2019 GE Votes
Labour: 10,269,051 22% R 32% T
Tory: 13,966,454 29% R 44% T
LibDem: 3,696,419 8% R 12% T
Labour: 9,708,716 20% R 34% T
Tory: 6,828,925 14% R 24% T
LibDem: 3,519,143 7% R 12% T
So that he got even more unpopular seemed a given, unless he managed to be competent and actually improve things for the people who elected his party.
The public do not see or agree that they have done well in any areas, hence their appallingly low popularity. And that was before this budget announcement.
It does not take a crystal ball to understand that the British media, which are vitriolic on a good day, will have an absolute free-for-all. It's nothing new.
> The fact that they were elected as a 'change' government and have barely done anything that really faces up to the scale of the challenge the country faces?
They have done a lot. But they haven't even stopped the runaway train yet. And the fundamental mistake they have made is not explaining to people clearly enough, during the election campaign, that it would take the first three years just to stop it.
Then you have the absolutely shameful, racist, nihilistic, fact-free intervention of five MPs that the media thinks will run the country in future so they are getting ten times the airtime of anyone else.
> They have done a lot.
I really don’t agree. Look at the first year of 1997 Labour:
* Good Friday agreement signed and referendum * Introduction of Minimum Wage * Human Rights act introduced and passed * Scottish and Welsh devolution set out, Parliament voted on it, referendums passed * Bank of England independence
A government coming into a mess of a country on a platform of change cannot just fiddle around with minor things, which is what many of the changes they have done, though positive, are. And at the same time, they’ve also wasted so much political capital on some really stupid things that it’s hard to see where they can go from here.
This is an unfair comparison. The economy Blair inherited was very different, thanks to Ken Clark's preoccupation with eliminating the 'Public Sector Borrowing Requirement'. The pressure on public finances we see now, in part because of privatization under Blair, wasn't there in 1997.
I don't think it's unfair at all, stuff like BoE independence was planned prior to the election and implemented quite quickly.
The planning reforms of Labour have been held up largely by their own MPs. I don't particularly care about it but House of Lords reform seems to have been abandoned. Their 'charter for working people' has been largely unworkable and they're arguing internally an enormous amount. Lots of these don't have a huge amount of bearing on them based on the economy at all, they're largely cost neutral to the government itself.
Instead we've had (a) more bungs to pensioners via the triple lock which they're too scared to deal with at nearly a 5% increase this year (b) getting rid of the cap on benefits for more than 2 children, which is terrible optics for everyone working who can't afford more than two kids and doesn't get any support (c) a rise in employer NI which has hit hiring and pay rises massively for anyone working (d) a rise in employee NI to pay for all of this via stopping salary sacrifice, which only hits private sector employees.
Yes and I'd argue that this is because they have not been elected on merit but because the people rejected the Tories. I believe that Corbyn got more votes than Starmer!
They have neither talents nor a plan. So far it seems that Starmer has picked policies to make him survive and he knows that this means placating power bases in the Labour party, not generally good policies for the country. Opinion polls are scathing.
This is politics so attacks will always follow blunders on either side.
In this case this is an extremely unpopular government to start with that increases taxes across the board while handing out more benefits and claiming that they had no choice because of the state of the public finances, and we learn that they possibly misled the public on that latter point. So, yes, in politics and especially British politics this means a riot against the Chancellor (who was also caught recently having let her house without the required legal licence, btw, after the [now former] Deputy PM was caught dodging taxes on the purchase of a second home...) because everyone "smells blood" but that's the game and it's not completely undeserved, either.
They were elected with 33% of the vote thanks to our FPTP system, the lowest in history. They were unpopular when they were elected and have done nothing to change that.
I like to think they're just looking out for us after the government implied the OBR was untrustworthy.
> The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access
That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.
I would also assume that the upload happened via Wordpress, and not someone manually uploading files via FTP/SFTP or something like that. And in that case it would be entirely non-obvious to users that attaching a file to an unpublished document would put it in a place where it is potentially publicly accessible.
Since at least Drupal 7, the core CMS has included the concept of “private files.” The files are stored in a directory that is not served publicly by the web server. Instead the CMS generates a proxy URL for each file, which is handled by the CMS like a page URL before serving the file by streaming it through PHP. So: it’s a heavier load on the server, but you get full permission management by the CMS.
Wordpress does not have this in core—no surprise. I was surprised to find that it’s not even available as a community plugin. I had to pay a developer to write a custom plugin when building a members-only website in Wordpress.
Some folks downplayed the risk of someone finding and directly accessing the file URL if it wasn’t referenced on a public page. It’s crazy to see it created a national government incident in the UK.
> I was surprised to find that it’s not even available as a community plugin.
I found this one https://wordpress.org/plugins/prevent-direct-access/
> It is the worst failure in the 15-year history of the OBR
I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...
Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...
It's still a failure in principle. The effects of this particular instance of the failure were minimal but it was still an accidental leak of (at the time) private information. They just got lucky.
> The effects of this particular instance of the failure were minimal
the effects are not minimal
if you're crooked: getting this sort of information early is potentially extremely lucrative
(why crooked? because trading on UPSI is illegal)
Surely it was no longer UPSI (Unpublished Price Sensitive Information) after the OBR published it?
I wouldn't be betting my freedom on the regulator agreeing with that logic
the regulations specifically go into great detail about official publications and formal circulation
would a reasonable person consider this a leak? then it's UPSI
The OBR admits that they published it too early.
I am not an expert but I think that even trading on a leak is not unlawful as long as that leaked information was indeed made public (e.g. someone leaks to the media and the media then publish it), although it may have been unlawful to leak the information. The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
> I am not an expert
I have had regulatory training on this exact matter, and it covers unintended leaks explicitly
and there is no way I would trade
> The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
no, it isn't the point
the regulator cares that participants are seen to be clean, practicing "fit and proper" behaviour
if a reasonable person would think it was dodgy, they'll have your head (and your certification to practice)
regardless of whether or not it was illegal
Yes, I have had the corporate training on leaks and insider trading, too...
Trading on public information is fit and proper (Edit: Indeed, a technical term, but that does not make my statement incorrect, or does it?)
I think you may have skipped the part of leak to whom. If it is a leak to you then it is still not public and indeed insider trading. But if leaked to the public then it is different (and also how do you prevent people from trading on what they see in the media?)
But that's in general as in this case, the OBR admits they released it and, again, anyway once it's on BBC News it's free for all.
> Yes, I have had the corporate training on leaks and insider trading, too...
by a regulated investment firm? specifically on UPSI?
"fit and proper" is a technical term in the FCA manual
I would not risk my regulator not considering me as such by trading on this information
if you would: provide your reference number, and we can ask them if they agree!