Comment by Brendinooo
10 months ago
Does anyone want to talk about the hack itself? Can anyone give more details than "left their database open"? I came to this site hoping for a real discussion about that and didn't see it here yet...
10 months ago
Does anyone want to talk about the hack itself? Can anyone give more details than "left their database open"? I came to this site hoping for a real discussion about that and didn't see it here yet...
Someone unminified the js, and it turned out that a bunch of the rest endpoints it knew about were just unverified crud endpoints for the site.
https://archive.ph/2025.02.14-132833/https://www.404media.co...
Smells exactly like llm created solution.
Or just what happens when you hire a bunch of 20 year olds and let them loose.
That's currently how I model my usage of LLMs in code. A smart veeeery junior engineer that needs to be kept on a veeeeery short leash.
15 replies →
Does it? At least my experience is that ChatGPT goes super hard on security, heavily promoting the use of best practices.
Maybe they used Grok ;P
2 replies →
Does it, though? The saying says we shouldn't mistake incompetence for malice, but that requires more than usual for Musk's retinue.
Smells like getting a backdoor in early.
1 reply →
My first guess is that this is an unauthenticated server action.[0]
0 - https://blog.arcjet.com/next-js-server-action-security/
Maybe doge should have used an LLM to generate defenses
1 reply →
Just checked the DOGE website; I'm not too sure about this theory given that POST requests are blocked and the only APIs you can find (ie. /api/offices) only supports GET requests and if the UUID doesn't match, it 404s.
I don't see any CRUD endpoints for modifying the database
DOGE noticed. They might have "fixed" the vulnerability by now
https://doge.gov/workforce?orgId=69ee18bc-9ac8-467e-84b0-106... is what's linked to by the "Workforce" header, and it now looks different than the screenshots
Good thing we have the best and brightest at DOGE!
well they pay for a blue checkmark, they _must_ be the cleverest we have
It's been a while since I last saw a CMS pulling data from a database... It's a miracle the website didn't crumble under the load.
Put a CMS behind a well-configured CDN and it's essentially a static site generator. If you have cache invalidation figured out, you get all the speed and scalability benefits of a static site without ever having to regenerate your content.
2 replies →
https://m.youtube.com/watch?v=woPff-Tpkns&pp=ygUSdW5kZXJ0YWx...
According to a source of mine, there were unsecured API endpoints for modification
> The database it is pulling from can be and has been written to by third parties, and will show up on the live website.
Not enough detail to say for sure; could be SQL injection, could be credentials exposed in the frontend.
...or endpoints not requiring any credentials at all.
… Oh, yes. After reading more carefully I see it, er, IS that. Where the hell did Musk find these people? 1996?
1 reply →
My bet is on SQL injection
They used one of those databases which are easy to connect directly to the internet, it's the same thing as about 90% of modern data breaches.
Every generation we make things much easier, lower the bar, and are rewarded when amateurs make amateur mistakes like this.
We made it so easy to program that any idiot could do it. So they do.
1 reply →
No way this is real.
In the year of our lord 2025? I doubt it. I'd put money on "some third party cloud service was configured in a silly way".
But, I would love to see details.
[flagged]
I mean the article is paywalled but it sounds like this is isolated to their site-displayed twitter feed; basically the site was hosted by cloudflare and you could insert your own fake tweets into what was recorded on the site (but not on the actual DOGE twitter feed). I don't think any data was actually compromised
I can't speak to any data that may or may not be compromised, but this isn't about inserting fake tweets. Anything in their "government org chart" can be edited unauthenticated.
Yeah, it's just tremendously embarrassing. These are supposed to be the tech geniuses who can parse 50 years of accumulated legacy code and find all the government waste? In 3 weeks?
Data science and websites are different beasts.
4 replies →