2011-08-28 Openleaks hints at WikiLeaks vulnerability, endangers sources [UPDATE 4 + Clarification]

According to Spiegel, a complete version of Cablegate has been available on the internet. This is their account of the story:

Julian Assange uploaded an encrypted archive containing Cablegate to the Wikileaks webserver, to share it with an associate, to whom he also gave the password. When Daniel Domscheit-Berg left the organization together with the Architect, he took the content of the webserver with him. He eventually returned some of the data a few weeks later.

At this point the narrative is not entirely clear. Spiegel goes on to say that supporters published the data on the web, along with the encrypted Cablegate file. Simultaneously, the associate published the password. The vulnerability remained unnoticed, until Openleaks staff pointed it out.

WL Central could not verify these claims. It is however clear that the vulnerability was first pointed out by Der Freitag, a media partner of Openleaks.

In a variety of aspects, this is a very strange story. First, it seems odd to use the main Wikileaks website for transfer of sensitive data. This could easily have been done by other means, in a more secure way. Next, one is left wondering how anyone could have overlooked a massive archive in a hidden subdirectory when setting up a website. Most striking is the fact that someone would be irresponsible enough to publish a password.

Openleaks staff must have known about this vulnerability for some time, but did not bother to reveal it to those in charge of the website, nor did their media partners. It is certainly right to report about it, but it should be done in a responsible manner, making sure the file is removed before this information is publicly available.

As it was the case with the shredding of unpublished submissions to Wikileaks, the timing of this story is the most telling aspect. It comes shortly after Daniel Domscheit-Berg had his CCC membership revoked. This time, the collateral damage did not only affect unpublished whistleblower documents, rather, the names of sources and informants contained in Cablegate have now been potentially exposed.


Wikileaks have now responded: "Current story being spun about wild cables, including from Spiegel, is significantly incorrect."


The Spiegel article in question has now appeared in English translation. The versions do, however, differ significantly. According to the German original, the password was given to an associate. In the translated version, this has been corrected to external contact.


Wikileaks tweets the following: "WikiLeaks 'insurance' files have not been decrypted. All press are currently misreporting. There is an issue, but not that issue."


Wikileaks commented again: "There has been no 'leak at WikiLeaks'. The issue relates to a mainstream media partner and a malicious individual."


The Spiegel article says that data that was returned by Domscheit-Berg contained the cablegate file; the Heise article says that the content of the old Wikileaks website was returned by Domscheit-Berg; the Spiegel article says that the file appeared within an archived version of the website. Both stories are based on accounts by Domscheit-Berg or his associates. Thus, the version of the story which is spread by Domscheit-Berg suggests that the file would have been hidden in the website. Personally, I do not believe it is credible that Wikileaks would use their website for transfer of sensitive data. Hence I find this story strange.

I do not believe that Wikileaks used its main website for transfers. Rather, the version of the story which is currently being reported implies this.