Elon Musk has been constantly criticizing the previous US administration for its inefficient use of funds, especially now that he is head of the Department of Government Effectiveness (DOGE). However, he will now have to prove his effectiveness himself, and he's off to a slow start. After all, the federal website DOGE.gov, created to track US government cuts at Musk's initiative, has become the center of a scandal due to vulnerabilities that allow anyone to modify its database. According to 404 Media, the site is built on a weakly protected infrastructure, which allows outsiders to directly make changes to the database and make them visible on the active site.
At least two entries were added by unauthorized users: one containing the text "this is a joke, not a .gov site" and the other "THESE 'EXPERTS' LEFT THEIR DATABASE OPEN -roro". This demonstrates a huge hole in the site's cybersecurity.
DOGE.gov was quickly launched following Musk's announcement on Tuesday that his Department of Government Effectiveness (DOGE) aims to be "as transparent as possible." Musk said the department's actions would be published on the DOGE account on X and on the website. Initially, the site was empty, but later it was supplemented with a display of posts from the @DOGE account in X and statistics on the federal workforce.
However, two independent web developers who have examined the site's architecture told 404 Media that DOGE.gov is likely hosted on the Cloudflare Pages platform, which is not currently running on government servers. And the site's database remains accessible through open API endpoints, which allows for unauthorized changes.
One of the developers, who asked to remain anonymous, demonstrated how he managed to make changes to the site by analyzing its architecture. He described the site as "completely hacked together," pointing out numerous errors and information leaks in the page code.
Another developer explained how the site is probably set up: "Basically, doge.gov has its codebase, probably through GitHub or something. They’re deploying the website on Cloudflare Pages from their codebase, and doge.gov is a custom domain that their pages.dev URL is set to. So rather than having a physical server or even something like Amazon Web Services, they’re deploying using Cloudflare Pages which supports custom domains."
According to experts, such a configuration exposes the site to security risks, as Cloudflare Pages does not meet the standards for hosting federal websites.
This is not the first questionable move by Musk's Department of Government Performance. Earlier this week, another site, Waste.gov, was launched with a generic WordPress template and demo text. After the article was published, the site was put under password protection.
DOGE is believed to have access to the codebases of various government agencies, including the Ministry of Finance, which further raises concerns about Musk's attitude to cybersecurity.
The Department of Government Efficiency has not yet responded to inquiries about DOGE.gov's vulnerabilities or plans to secure it.