this post was submitted on 05 May 2026
220 points (97.4% liked)

Technology

84434 readers
4630 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
220
A Security Researcher Decompiled The White House App, & What They Found Is Pretty Alarming (www.androidheadlines.com)
submitted 3 days ago by sanitation@lemmy.radio to c/technology@lemmy.world
27 comments fedilink hide all child comments
top 27 comments
sorted by: hot top controversial new old
[–] TachyonTele@piefed.social 103 points 3 days ago* (last edited 2 days ago) (6 children)

And it gets even stranger. Apparently, the app is loading JavaScript from a random person’s GitHub site for YouTube embeds. Yes, you read that right, it’s just loading JavaScript from a random GitHub site.

It also pings your location every four minutes. But man, a random github is gold. These morons have the full power of the United States at their fingertips, and they use it to... load JS from a random github while tracking you.

[–] Sickday@kbin.earth 69 points 3 days ago (2 children)

Can you imagine The United States Government getting hit with a JS supply chain attack due to sheer stupidity? What a time to be alive

[–] TachyonTele@piefed.social 28 points 3 days ago

Someone convincing enough could easily just tell them theres an attack. I have a feeling they wouldn't have any idea how to check.

[–] Hawke@lemmy.world 24 points 2 days ago

It would be impossible to distinguish the malware from the apps intended function

[–] UnspecificGravity@piefed.social 5 points 2 days ago

The biggest weakness of fascism is always that it tends to attract a lot more idiots who want to steal money than true believers in the actual philosophy.

[–] AuroraZzz@lemmy.world 37 points 2 days ago (1 children)

Bc they used AI to write it. Why random stuff is included in the app for no reason

[–] TachyonTele@piefed.social 18 points 2 days ago

That would make sense. Ugh

[–] felixwhynot@lemmy.world 23 points 2 days ago (2 children)

Nerd nit (sorry): if you want to abbreviate “JavaScript” please use “JS” because Java is a different thing. Sorry!

PS thanks for posting the quote

[–] pingu@piefed.europe.pub 21 points 2 days ago

Extra nerd nit: If you want to abbreviate the postscript announcement, please use "p.s" because PostScript is a different thing!

p.s. thanks for pointing out the difference between Java and JavaScript

[–] TachyonTele@piefed.social 5 points 2 days ago

Nerd alert!
(I kidd, thank you for the correction)

[–] TheTimeKnife@lemmy.world 10 points 3 days ago

Its honestly incredible how dumb these people are.

[–] vrek@programming.dev 8 points 2 days ago (1 children)

Based on how open source currently is funded and it's a random github source. I wonder if, hypothetically, could iran send the owner a dm offering say $500k and get complete access to the phones of everyone running this app. I could see this being default installed on company phones if you work for the white house or federal government.

Don't make the github changes noticeable, keep the app working, but for example when it checks your location and sends that home imagine a slight change to also include complete browser history or list of installed apps.

One of trump's yes men receives a message "do what I ask or I'll publish that you have grindr installed, your account name, and all the people you swiped right on..." that could give them insane power over the US government.

[–] TachyonTele@piefed.social 5 points 2 days ago (1 children)

Sure, why not. If people were as competent as the movies theyd have already owned the apps data.

[–] vrek@programming.dev 5 points 2 days ago (1 children)

Hey, it's cheaper than a single missile...

[–] TachyonTele@piefed.social 1 points 2 days ago

Not as convenient though. So the missiles must fire

[–] IWW4@lemmy.zip 59 points 3 days ago

Is anyone surprised that one of the most if not the most incompetent and corrupt administrations in the history of the US is churning out shit that is corrupt and messed up?

This administration doesn’t live in reality so I am sure whoever was building that thing sure didn’t feel like anyone wants to hear about problems.

[–] floquant@lemmy.dbzer0.com 33 points 2 days ago

If you are wondering if it's because of incompetence or malice, it's both.

[–] Sxan@piefed.zip 41 points 2 days ago (1 children)

Hardcoded:

root_username: putin  
root_password: i_luv_russia
[–] gdog05@lemmy.world 16 points 2 days ago (1 children)

Username would be Krasnov I think

[–] redditmademedoit@piefed.zip 22 points 2 days ago

krasnov only gets you basic access. For admin privileges you need to sign in with putin.

[–] chrash0@lemmy.world 34 points 2 days ago (2 children)

WordPress powering the backend through a custom REST API. That’s pretty normal, as nearly 42% of all websites on the internet are powered by WordPress.

is this normal? of course WordPress is popular for websites, but why a REST API? most of this seems just like shoddy junior work. probably vibe coded by someone who thinks software engineering is obsolete

[–] MonkderVierte@lemmy.zip 23 points 2 days ago* (last edited 2 days ago)

Actually, Wordpress is made for blogs and the plugin architecture (to do things like shopify) has heavy security issues. If you don't make a very basic blog, use a different framework. And if you do, better look into static site generators.

[–] nykula@piefed.social 17 points 2 days ago

Because their app is essentially a website. News, videos, photo galleries. WP REST API is useful for writing a front-end using a different language than PHP while keeping the very convenient admin interface that most content managers are familiar with.

[–] abbiistabbii@piefed.blahaj.zone 14 points 2 days ago

Have you ever noticed that 90% of all government-owned /designed apps are absolutely horrific nightmares?

Do you think government is promoting this gov.uk app and I look at it in exactly the same way I think of full strength everclear: absolute concern.