Anyone Can Push Updates to the DOGE.gov Website
https://web.archive.org/web/20250214064422/https://www.404media.co/anyone-can-push-updates-to-the-doge-gov-website-2/
> "THESE 'EXPERTS' LEFT THEIR DATABASE OPEN."
> The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”
> Doge.gov was hastily deployed after Elon Musk told reporters Tuesday that his Department of Government Efficiency is “trying to be as transparent as possible. In fact, our actions—we post our actions to the DOGE handle on X, and to the DOGE website.” At the time, DOGE was an essentially blank webpage. It was built out further Wednesday and Thursday, and now shows a mirror of the @DOGE X account posts, as well as various stats about the U.S. government’s federal workforce.
> Two different web development experts who asked to remain anonymous because they were probing a federal website told 404 Media that doge.gov is seemingly built on a Cloudflare Pages site that is not currently hosted on government servers. The database it is pulling from can be and has been written to by third parties, and will show up on the live website.
> Both sources told 404 Media that they noticed Doge.gov is pulling from a Cloudflare Pages website, where the code that runs it is actually deployed.
> One of the sources told 404 Media that they were able to push updates to a database of government employment information after studying the website’s architecture and finding the database’s API endpoints.
> This person showed me two database entries they were able to push to the website, which are live on doge.gov as I write this
> “Feels like it was completely slapped together,” they added. “Tons of errors and details leaked in the page source code.”
> Both sources said that the way the site is set up suggests that it is not running on government servers.
> “Basically, doge.gov has its codebase, probably through GitHub or something,” the other developer who noticed the insecurity said. “They’re deploying the website on Cloudflare Pages from their codebase, and doge.gov is a custom domain that their pages.dev URL is set to. So rather than having a physical server or even something like Amazon Web Services, they’re deploying using Cloudflare Pages which supports custom domains.”
> On Wednesday, we reported that waste.gov, another website created to track government waste, was sitting live with a placeholder Wordpress default template page and sample text. After our article was published, waste.gov was put behind a password wall. It has been widely reported that DOGE has secured administrator access to the codebases at various government agencies, including the Department of Treasury.
> DOGE did not immediately respond to a request for comment.I exoected nothing and I was still let down. Goverment lolcow milking agency lol
UPDATEhttps://cyberintel.substack.com/p/doge-exposes-once-secret-government
> Beginning on January 8, 2025, a surge of U.S. government infrastructure began appearing on what’s known as “the search engine of Internet-connected devices,” Shodan.io.
> Federal agencies typically secure their systems behind multiple layers of protection, ensuring that critical services – such as mail servers, directory services, VPNs, internal IP addresses, and remote access gateways – remain isolated from public access.
> The scope and severity of exposed government networks is unlike anything I’ve seen. It’s hard to even have a baseline to compare it to. But one thing’s for sure–adversaries such as Russia and China are dancing for joy.
> Essentially, whatever is causing once-private government networks to suddenly be publicly observable is making the lives of Chinese and Russian hackers much easier–we’re doing the first stage of hacking campaigns, network reconnaissance, for them. With such easy insights into once-secret U.S. networks, the likelihood of data breaches impacting millions of Americans becomes that much higher.Setting aside the sinorussian spooks, this is actually pretty bad; it seems like they're ignoring basic security practices that even medium sized companies employ.
> On February 6, the Washington Post reported that DOGE fed sensitive data into AI systems while auditing the Department of Education. The specific AI product used by DOGE was not known to the Post at the time.
> However, my investigation reveals that Inventry[.]ai may be one of the AI products in question, with multiple U.S. government IP addresses pointing to its REST API. This indicates a massive flow of government data being sent to the AI company’s servers.
> Proof: 8 IP addresses on Amazon’s GovCloud now point to Inventry.ai’s REST API, indicating a massive firehose of data being sent to the AI company’s servers. The IP addresses are: 18.253.166.131, 182.30.117.29, 18.253.153.187, 182.30.154.252, 18.254.229.158, 18.253.160.247, 18.254.175.18, 18.254.191.201
> As early as January 24, Elon Musk and his DOGE entourage may have had partial access to Treasury Department systems, and then obtained full access on February 2. From there, he specifically targeted the Secure Payment System housed under the Bureau of Fiscal Services, which is responsible for disbursing billions of dollars of federal funds totaling more than 20% of the entire U.S. economy. (Southern District of NY Complaint, 2025).
> That same day, Treasury Department servers linked to the Secure Payment System were observed on Shodan. Reasons for the Secure Payment System’s appearance on Shodan could include server configuration changes or new services that were not previously accessible
> Further vulnerable Treasury Department systems discovered include:
> 1 Comptroller of the Currency’s Citrix NetScaler Gateway – enables remote access to internal applications, desktops, and data. It acts as a VPN (Virtual Private Network) or proxy for users connecting to a corporate or government network.
> 3 The Treasury Department’s Office of Inspector General’s Outlook Web login page is now publicly exposed. This allows attackers to attempt brute force password attacks. Once inside, hackers could exploit CVE-2024-21413 to send malicious emails that further compromise government systems. Another Treasury mail server is observed here.