DOGE Website Breached as Judges Sue for Privacy Act Violation

Shortly after the inception of the ‘Department of Government Efficiency’, security researchers discovered a significant vulnerability – calling to question the expertise of the auditor.

Multiple security researchers have discovered significant security vulnerabilities in the newly launched DOGE.gov website, allowing unauthorized users to modify its database content. The website was created to track the Department of Government Efficiency’s federal workforce reduction efforts.

This comes just days after a group of judges filed a lawsuit against DOGE for an alleged violation of the Privacy Act.

Key Findings

• The website runs on Cloudflare Pages instead of government servers
• Unauthorized users can access and modify the site’s database through exposed API endpoints
• Security researchers successfully demonstrated vulnerabilities by inserting test entries

Details of The ‘Breach’

While this has been referred to as a breach, the nature of the findings implies there were virtually no measures in place to secure the site from unauthorized access and changes.

Operating through a custom domain on Cloudflare Pages, is not standard practice for federal government sites which are typically hosted on AWS or physical servers.?

Security researches were able to publish changes to the site through publicly exposed API endpoints. By all accounts, these should be completely inaccessible to unauthorized users. Security researchers also cited “multiple errors” and “leaked details” in the source code.

The website continues to face issues, with a “join” button on the homepage leading users to a cloudflare ‘access denied’ page, which informs users access is blocked to prevent ‘online attacks’.?

Broader Context

The security incident occurs amid several related developments – namely legal challenges as judges files a lawsuit in New York federal course, alleging DOGE has violated the privacy act through exposure of personal information of federal employees, alongside concerns about DOGE’s own personnel records.

Additionally, 404 Media reported on the Musk’s waste.gov site launch, which displayed a default WordPress template before being locked behind a password (after the media coverage).

DOGE has not responded to any requests for comment about the security of either site. Musk continues to advocate for federal cost-cutting and downsizing efforts.

Digital Privacy Implications

The DOGE.gov and waste.gov incidents highlights growing concerns about digital privacy in government databases and public-facing systems. Federal employees and contractors are facing increased scrutiny of their personal information and opinions (especially those involving DEI initiatives).

If you are a federal employee or contractor, carefully auditing your digital footprint (or your company’s digital footprint) will only help you in tumultuous times. Our service, redact.dev gives you the tools needed to quickly manage and clean your digital footprint for over 30 platforms (the majority of social and corporate media networks). While Redact cannot prevent institutional data exposure, you or your organisation get your public-facing digital footprint under control with just a few clicks – download and try it for free here.