The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media

Wow, really wild how the guy that doesn’t know what SQL is, is somehow also bad at database permissioning.

This level of incompetence is unheard

Move fast, break things, leave the front door unlocked, salute the führer

Why are we not surprised?

HATE 404’s paywall (i don’t care what they call it)

full text follows

The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”

Doge.gov was hastily deployed after Elon Musk told reporters Tuesday that his Department of Government Efficiency is “trying to be as transparent as possible. In fact, our actions—we post our actions to the DOGE handle on X, and to the DOGE website.” At the time, DOGE was an essentially blank webpage. It was built out further Wednesday and Thursday, and now shows a mirror of the @DOGE X account posts, as well as various stats about the U.S. government’s federal workforce.

Two different web development experts who asked to remain anonymous because they were probing a federal website told 404 Media that doge.gov is seemingly built on a Cloudflare Pages site that is not currently hosted on government servers. The database it is pulling from can be and has been written to by third parties, and will show up on the live website.

Both sources told 404 Media that they noticed Doge.gov is pulling from a Cloudflare Pages website, where the code that runs it is actually deployed.

One of the sources told 404 Media that they were able to push updates to a database of government employment information after studying the website’s architecture and finding the database’s API endpoints.

This person showed me two database entries they were able to push to the website, which are live on doge.gov as I write this (archived here and here):

“Feels like it was completely slapped together,” they added. “Tons of errors and details leaked in the page source code.”

Both sources said that the way the site is set up suggests that it is not running on government servers.

“Basically, doge.gov has its codebase, probably through GitHub or something,” the other developer who noticed the insecurity said. “They’re deploying the website on Cloudflare Pages from their codebase, and doge.gov is a custom domain that their pages.dev URL is set to. So rather than having a physical server or even something like Amazon Web Services, they’re deploying using Cloudflare Pages which supports custom domains.”

On Wednesday, we reported that waste.gov, another website created to track government waste, was sitting live with a placeholder Wordpress default template page and sample text. After our article was published, waste.gov was put behind a password wall. It has been widely reported that DOGE has secured administrator access to the codebases at various government agencies, including the Department of Treasury.

DOGE did not immediately respond to a request for comment.

Seems like they should have their backups tested.

Krebs just published that one of the dipshits on the team can’t even write a fecking Hello World script. So… this tracks.