DOGEs Genius Coders Launch Website So Full Of Holes, Anyone Can Write To Itfrom the this-would-get-an-intern-at-a-coffee-shop-fired deptFri, Feb 14th 2025 09:25am - Mike MasnickIf you want to write something on the U.S. governments official DOGE website, apparently you can just do that. Not in the usual way of submitting comments through a form, mind you, but by directly injecting content into their database. This seems suboptimal.The story here is that DOGE Elon Musks collection of supposed coding geniuses brought in to disrupt government inefficiency finally launched their official website. And what they delivered is a masterclass in how not to build government infrastructure. One possibility is that theyre brilliant disruptors breaking all the rules to make things better. Another possibility is that they have no idea what theyre doing.The latter seems a lot more likely.Last week, it was reported that the proud racist 25-year-old Marko Elez had been given admin access and was pushing untested code to the US governments $6 trillion/year payment system. While the Treasury Department initially claimed (including in court filings!) that Elez had read-only access, others reported he had write access. After those reports came out, the Treasury Dept. corrected itself and said Elez had been accidentally given write privileges for the payments database, but only for the data, not the code. Still, they admitted that while they had put in place some security protections, its possible that Elez did copy some private data which may have occasionally included screenshots of payment systems data or records.Yikes?Now, you might think that having a racist twenty-something with admin access to trillion-dollar payment systems would concern people. But Musks defenders had a compelling counterargument: he must be a genius! Because well, because Musk hired him, and Musk only hires geniuses. Or so were told.The DOGE teams actual coding prowess is turning out to be quite something. First, they decided that government transparency meant hiding everything from FOIA requests. When questioned about this interesting interpretation of transparency, Musk explained that actually DOGE was being super transparent by putting everything on their website and ExTwitter account.There was just one small problem with this explanation. At the time he said it, the DOGE website looked like this:That was it. That was the whole website.On Thursday, they finally launched a real website. Sort of. If by real website you mean a collection of already-public information presented in misleading ways by people who dont seem to understand what theyre looking at. But thats not even the interesting part.These supposed technical geniuses managed to build what might be the least secure government website in history. Lets start with something basic: where does the website actually live? According to Wired, the source code actually tells search engines that ExTwitter, not DOGE.gov, is the real home of this government information:A WIRED review of the pages source code shows that the promotion of Musks own platform went deeper than replicating the posts on the homepage. The source code shows that the sites canonical tags direct search engines to x.com rather than DOGE.gov.A canonical tag is a snippet of code that tells search engines what the authoritative version of a website is. It is typically used by sites with multiple pages as a search engine optimization tactic, to avoid their search ranking being diluted.In DOGEs case, however, the code is informing search engines that when people search for content found on DOGE.gov, they should not show those pages in search results, but should instead display the posts on X.It is promoting the X account as the main source, with the website secondary, Declan Chidlow, a web developer, tells WIRED. This isnt usually how things are handled, and it indicates that the X account is taking priority over the actual website itself.If youre not a web developer, heres what that means: When you build a website, you can tell search engines hey, if you find copies of this content elsewhere, this version here is the real one. Its like telling Google if someone copied my site, mine is the original.But DOGE did the opposite. They told search engines actually, ExTwitter has the real version of this government information. Our government website is just a copy. Which is an interesting choice for a federal agency? Its a bit like the Treasury Department saying dont look at our official reports, just check Elons tweets.You might think that a government agency directing people away from its official website and toward the private company of its leader would raise some conflict-of-interest concerns. And youd be right!But wait, it gets better. Or worse. Actually, yeah, its worse.Who built this government website? Through some sloppy coding, security researcher Sam Curry figured out it was DOGE employee Kyle Shutt. The same Kyle Shutt who, according to Drop Site News, has admin access to the FEMA payments system. The same Kyle Shutt who used the exact same Cloudflare ID to build Musks America PAC Trump campaign website. Because why maintain separate secure credentials for government systems and political campaigns when you can just not do that?But the real cherry on top came Thursday when people discovered something amazing about the DOGE site database: anyone can write to it. Not anyone with proper credentials. Not anyone who passes security checks. Just anyone. As 404 Media reported, if you know basic database operations, you too can be a government website administrator:The doge.gov website that was spun up to track Elon Musks cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say this is a joke of a .gov site and THESE EXPERTS LEFT THEIR DATABASE OPEN -roro.While I imagine those will be taken down shortly, for now, the insertions are absolutely visible:Look, theres a reason we called this whole thing a cyberattack. When someone takes over your computer systems and leaves them wide open to anyone who wants to mess with them, we usually dont call that disruption or innovation. We call it a cybersecurity breach.Feels like it was completely slapped together, they added. Tons of errors and details leaked in the page source code.Both sources said that the way the site is set up suggests that it is not running on government servers.Basically, doge.gov has its codebase, probably through GitHub or something, the other developer who noticed the insecurity said. Theyre deploying the website on Cloudflare Pages from their codebase, and doge.gov is a custom domain that their pages.dev URL is set to. So rather than having a physical server or even something like Amazon Web Services, theyre deploying using Cloudflare Pages which supports custom domains.Heres the thing about government computer systems: Theyre under constant attack from foreign adversaries. Yes, they can be inefficient. Yes, they can be bloated. But you know what else they usually are? Not completely exposed to the entire internet. It turns out that some of that inefficient bureaucracy involves basic things like security and not letting random people write whatever they want in federal databases.This isnt some startup where move fast and break things is a viable strategy. This is the United States government. And its been handed over to people whose main qualification appears to be posts spicy memes on 4chan. The implications go far beyond embarrassing database injections this level of technical negligence in federal systems creates genuine national security concerns. When your disruption involves ignoring decades of hard-learned lessons about government systems security, youre not innovating youre inviting disaster.Companies: twitter, x