When "Hacking" is Just User Negligence

EDIT 2: I've published an update to this post that clarifies a number of issues and changes the focus. Please read it.

EDIT: Scheffel e-mailed me to point out that the donor documents on the website are public data, which can be found linked here. However, the search results also contain a "Platform Feedback" document full of anonymous citizen comments. I also remain convinced that the initial leak was due to a file permissions misconfiguration with WordPress directories.

A bit of a furor developed this week in BC politics, and to the potential delight of IT professionals like me, it's a story about incorrect file permissions

Earlier this week, Mike Smyth at the Province reported that a seemingly private document was freely available on the BC Liberals' public website; a document containing the e-mail addresses and postal codes of about 100 people who took part in a Liberal public-engagement effort.

Smyth later clarified that the document was located in the directory "http://www.bcliberals.com/wp-content/uploads/". Anyone with experience in web hosting or WordPress (a popular blogging platform) will likely recognize that this is a problem with the web-hosting provider's file permissions. 

For the less-technologically-inclined, what this essentially means is that a folder containing potentially private documents was mis-configured to be accessible to the public. In any case, shortly after the story broke, whoever administrates the site fixed the problem, and browsing to the folder's URL now shows a 403 error (ie: "permission denied" – which is what one would expect).

The BC Liberals were quick to label the incident a "targeted hack", which is an utterly laughable claim. This is akin to leaving private documents on a table sitting on the legislature lawn. Then, when a passerby stops in front of the table to read said documents, the Premier runs outside and accuses them of breaking and entering. 

Liberal communications director Emile Scheffel also claimed: “Our membership and donor data is stored in a separate system and was not compromised.”

It's clear that, before the admin of bcliberals.com fixed the file permissions issue, Google managed to index some of the documents in the uploads directory. Individual files are still publicly accessible through Google's search results:

Some quick Googling about WordPress indicates that this is a very common problem. It's difficult to get the uploads directory working correctly. Instead of setting ownership and permissions properly, many impatient admins just set the directory to "777" – that's UNIX speak for "anyone can read, write, or execute this". Using 777 permissions, especially on a website, is a terrible kludge, both in terms of privacy and system security. This is what allowed anyone to look at the contents of the folder: to see the public-engagement document, and to see the comments document. 

I'll endeavour a follow up later with some more info on unix file permissions, Apache web server, and the likely mechanics of how this all happened. That being said, this is a huge privacy and security screwup by the BC Liberals campaign team. It will be interesting to see how Christy Clark justifies her "hacking" claims going forward.

"Computer hacker" image by Joe Prachatree via Shutterstock