Anyone Can Push Updates to the DOGE.gov Website — “These ‘experts’ left their database open.”

29 comments

1. >The [doge.gov](http://doge.gov) website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say “[*this is a joke of a .gov site*](https://doge.gov/workforce?orgId=1&ref=404media.co)” and “[*THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro*](https://doge.gov/workforce?orgId=7cd300eb-cf3f-47f5-90f1-9e66a8bc8d07&ref=404media.co).” 

   >[Doge.gov](http://Doge.gov) was hastily deployed after Elon Musk [told reporters Tuesday](https://www.404media.co/elon-musks-waste-gov-is-just-a-wordpress-theme-placeholder-page/) that his Department of Government Efficiency is *“trying to be as transparent as possible. In fact, our actions—we post our actions to the DOGE handle on X, and to the DOGE website.”* At the time, DOGE was an essentially blank webpage. It was built out further Wednesday and Thursday, and now shows a mirror of the u/DOGE X account posts, as well as various stats about the U.S. government’s federal workforce. 

   >Two different web development experts who asked to remain anonymous because they were probing a federal website told 404 Media that [doge.gov](http://doge.gov) is seemingly built on a Cloudflare Pages site that is not currently hosted on government servers. The database it is pulling from can be and has been written to by third parties, and will show up on the live website. 

   >Both sources told 404 Media that they noticed [Doge.gov](http://Doge.gov) is pulling from a Cloudflare Pages website, where the code that runs it is actually deployed.

   >One of the sources told 404 Media that they were able to push updates to a database of government employment information after studying the website’s architecture and finding the database’s API endpoints.

   >This person showed me two database entries they were able to push to the website, which are live on [doge.gov](http://doge.gov) as I write this (archived [here](https://archive.is/XzvTY?ref=404media.co) and [here](https://archive.is/cMeco?ref=404media.co))

2. This is hilarious. It is still up…wonder if they can do a DB query to get all the salaries and their personal information associated with them.

3. An absolute shit show

4. Little Bobby Tables is alive and well

5. Fucking interns

6. I’ll do you one better: CFPB.gov gives you a 404 page when you go to the website. But it isn’t offline or unavailable, it’s just an image pasted on the front page. All of the links still work, complaints can still be filed, etc.

7. So are they using SQL or not?

8. See that’s the thing. These guys are probably the biggest IT risk in history. If that’s their front facing page what have they done to internal agency data? 

9. It’s probably a team of script kiddies obsessed with AI or black hat hacking who, in their education, neglected all other facets of SWE (security, ethics, web development, devops, testing, maintenance, etc.) I’m not surprised!

10. Elon will be tweeting this is illegal any moment

11. Slide a Little Bit of Bytes into that thing and watch it explode

12. Man. it would take someone with balls — BIG balls — to poke around and figure…oh who am I kidding.

    Racistballs69420loleleventy probably asked ChatGPT how to make a website and still botched it

    This is insane.

    Also, remember — JD Vance was fired from multiple tech companies for being a complete idiot (the most idiotic some of the companies ever had), and Thiel still found a use for him.

13. I don’t know what annoys me more

    That fascism is being pushed so violently in our faces and we’re powerless to stop it

    Or that the fascists are all fucking morons

14. “The people voted for major reform.”

    …. no, they were just too lazy to read Project 2025, and all their Fox news anchors told them not to worry, it wasn’t happening (until it was too late, of course).

15. Checks and balances people, checks and balances. What an absolute clown show.

16. Whatever you do, definitely don’t put malware on there that can take their information and then spread to all their other dumbass Doge computers. That would be bad.

17. Non government servers?!? I’ll bet Hillary is pissed!

    I guess we have to…lock…them…up?

18. What if it’s actually a honeypot — oh wait, is Elmo smart enough to pull it off?

19. The fact that there still isn’t any Senate hearing about Musk’s role in this idiocy is worse than many of you think. Where is the Constitutional requirement for federal officials to be nominated with the advice and consent of the Senate?

20. >why does everyone keep asking me about wasps? -doge, probably

21. Getting big “press alt+F4” hacker energy from these kids.

22. _Bobby Tables has joined the chat_

23. Calling all trolls! Please report to the doge.gov website.

24. dodge.gov resolves to 172.67.131.28, which is a Cloudflare IP in San Fransisco. Google says it’s back end is on 64.176.80.132, an IP assigned to Vultr Holdings, LLC in Singapore. Kinda strange for a .gov site to be hosted in Singapore. It is owned by The Constant Company, LLC.

25. What a fucking joke. Probably a hasty scam thrown together in chatgpt by someone without any understanding of the domain whatsoever.

26. Could somebody push some basic civics education please

27. It still up

28. Someone please do what needs to be done

29. From the bottom of their “workforce” page.

    “This is DOGE’s effort to create a comprehensive, government-wide org chart. This is an enormous effort, and there are likely some errors or omissions. We will continue to strive for maximum accuracy over time.”

    Straight up admitting they don’t have the correct information.

Comments are closed.