DOGE’s ‘Genius’ Coders Launch Website So Full Of Holes, Anyone Can Write To It
If you want to write something on the U.S. government’s official DOGE website, apparently you can just… do that. Not in the usual way of submitting comments through a form, mind you, but by directly injecting content into their database. This seems suboptimal.
The story here is that DOGE — Elon Musk’s collection of supposed coding “geniuses” brought in to “disrupt” government inefficiency — finally launched their official website. And what they delivered is a masterclass in how not to build government infrastructure. One possibility is that they’re brilliant disruptors breaking all the rules to make things better. Another possibility is that they have no idea what they’re doing.
The latter seems a lot more likely.
Last week, it was reported that the proud racist 25-year-old Marko Elez had been given admin access and was pushing untested code to the US government’s $6 trillion/year payment system. While the Treasury Department initially claimed (including in court filings!) that Elez had “read-only” access, others reported he had write access. After those reports came out, the Treasury Dept. “corrected” itself and said Elez had been “accidentally” given write privileges for the payments database, but only for the data, not the code. Still, they admitted that while they had put in place some security protections, it’s possible that Elez did copy some private data which “may have occasionally included screenshots of payment systems data or records.”
Yikes?
Now, you might think that having a racist twenty-something with admin access to trillion-dollar payment systems would concern people. But Musk’s defenders had a compelling counterargument: he must be a genius! Because… well, because Musk hired him, and Musk only hires geniuses. Or so we’re told.
The DOGE team’s actual coding prowess is turning out to be quite something. First, they decided that government transparency meant hiding everything from FOIA requests. When questioned about this interesting interpretation of “transparency,” Musk explained that actually DOGE was being super transparent by putting everything on their website and ExTwitter account.
There was just one small problem with this explanation. At the time he said it, the DOGE website looked like this:
That was it. That was the whole website.
On Thursday, they finally launched a real website. Sort of. If by “real website” you mean “a collection of already-public information presented in misleading ways by people who don’t seem to understand what they’re looking at.” But that’s not even the interesting part.
These supposed technical geniuses managed to build what might be the least secure government website in history. Let’s start with something basic: where does the website actually live? According to Wired, the source code actually tells search engines that ExTwitter, not DOGE.gov, is the real home of this government information:
A WIRED review of the page’s source code shows that the promotion of Musk’s own platform went deeper than replicating the posts on the homepage. The source code shows that the site’s canonical tags direct search engines to x.com rather than DOGE.gov.
A canonical tag is a snippet of code that tells search engines what the authoritative version of a website is. It is typically used by sites with multiple pages as a search engine optimization tactic, to avoid their search ranking being diluted.
In DOGE’s case, however, the code is informing search engines that when people search for content found on DOGE.gov, they should not show those pages in search results, but should instead display the posts on X.
“It is promoting the X account as the main source, with the website secondary,” Declan Chidlow, a web developer, tells WIRED. “This isn’t usually how things are handled, and it indicates that the X account is taking priority over the actual website itself.”
If you’re not a web developer, here’s what that means: When you build a website, you can tell search engines “hey, if you find copies of this content elsewhere, this version here is the real one.” It’s like telling Google “if someone copied my site, mine is the original.”
But DOGE did the opposite. They told search engines “actually, ExTwitter has the real version of this government information. Our government website is just a copy.” Which is… an interesting choice for a federal agency? It’s a bit like the Treasury Department saying “don’t look at our official reports, just check Elon’s tweets.”
You might think that a government agency directing people away from its official website and toward the private company of its leader would raise some conflict-of-interest concerns. And you’d be right!
But wait, it gets better. Or worse. Actually, yeah, it’s worse.
Who built this government website? Through some sloppy coding, security researcher Sam Curry figured out it was DOGE employee Kyle Shutt. The same Kyle Shutt who, according to Drop Site News, has admin access to the FEMA payments system. The same Kyle Shutt who used the exact same Cloudflare ID to build Musk’s America PAC Trump campaign website. Because why maintain separate secure credentials for government systems and political campaigns when you can just… not do that?
But the real cherry on top came Thursday when people discovered something amazing about the DOGE site database: anyone can write to it. Not “anyone with proper credentials.” Not “anyone who passes security checks.” Just… anyone. As 404 Media reported, if you know basic database operations, you too can be a government website administrator:
The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”
While I imagine those will be taken down shortly, for now, the insertions are absolutely visible:
Look, there’s a reason we called this whole thing a cyberattack. When someone takes over your computer systems and leaves them wide open to anyone who wants to mess with them, we usually don’t call that “disruption” or “innovation.” We call it a cybersecurity breach.
“Feels like it was completely slapped together,” they added. “Tons of errors and details leaked in the page source code.”
Both sources said that the way the site is set up suggests that it is not running on government servers.
“Basically, doge.gov has its codebase, probably through GitHub or something,” the other developer who noticed the insecurity said. “They’re deploying the website on Cloudflare Pages from their codebase, and doge.gov is a custom domain that their pages.dev URL is set to. So rather than having a physical server or even something like Amazon Web Services, they’re deploying using Cloudflare Pages which supports custom domains.”
Here’s the thing about government computer systems: They’re under constant attack from foreign adversaries. Yes, they can be inefficient. Yes, they can be bloated. But you know what else they usually are? Not completely exposed to the entire internet. It turns out that some of that inefficient “bureaucracy” involves basic things like “security” and “not letting random people write whatever they want in federal databases.”
This isn’t some startup where “move fast and break things” is a viable strategy. This is the United States government. And it’s been handed over to people whose main qualification appears to be “posts spicy memes on 4chan.” The implications go far beyond embarrassing database injections — this level of technical negligence in federal systems creates genuine national security concerns. When your “disruption” involves ignoring decades of hard-learned lessons about government systems security, you’re not innovating — you’re inviting disaster.