Scoop: The databases powering doge. gov are insecure, and people outside the government have already pushed their own updates to the site to prove it:

https://www.404media.co/anyone-can-push-updates-to-the-doge-gov-website-2/

@404mediaco nothing but the best from chatGPT.

@404mediaco the 20 year old hitler youths recruited from the exploding car company and the monkey trepanning company aren't actually good at computers? SurprisedPikachu.jpg

@404mediaco The description is pretty vague and I don't have a supscription so I looked at the traffic: it seems the /api/offices/[id] endpoint is serving the "extra" messages. My educated guess is they forgot to restrict POST/PUT (which is actually pretty lame)...

@404mediaco I expect every single one of you to act appropriately.

@404mediaco this has made me cackle and howl from laughter so hard that I just startled my cat.

@buherator @404mediaco doesn’t #cloudflare have a responsibility to secure this or do they just go 🤷 ?

@bh @404mediaco frankly I don't see why CF is relevant, this looks like an app-specific endpoint, but I may be missing some detail

@404mediaco @buherator they’re using Cloudflare Pages

@404mediaco @buherator https://pages.cloudflare.com

@bh @404mediaco yeah ik. It's a platform, the user provides implementation. You don't blame your cpu for executing malware.

@404mediaco @buherator so if I’m understanding correctly, Cloudflare can be used to deploy an unsecured government database and there is nothing wrong with that? I get the user provides implementation but DOGE is not really following the law…

@bh @404mediaco They could deploy the same code on a mainframe in Fort Knox, it would be the same bug (if my theory is correct). I dont have info abt usgov webapp deployment policy.

@buherator @404mediaco sure, but they made the deliberate choice to use Cloudflare instead of a “mainframe” elsewhere. If you ‘dig a doge.gov’ both A records point to Cloudflare so how are they not relevant here?

@buherator @404mediaco then you do ‘dig a irs.gov’ and you can whois the IP and it’s owned by ‘Internal Revenue Service’ — not Cloudflare

@404mediaco @buherator bug or not this is horribly bad deployment practices and Cloudflare could cut them off if they wanted to but they haven’t

@bh @404mediaco because your cpu vendor is not relevant when you happen to run malware.

@404mediaco @buherator ok but my CPU isn’t on someone else’s computer

@buherator @404mediaco also malware doesn’t infect a CPU it infects an operating system…?