Someone pretended to be a mayor and the government gave him a .gov domain

You can pretend to be anyone on the internet. Even the mayor of a small town.

A security researcher did just that and acquired an official .gov domain name, which could have been used to spread fake emergency alerts or ask Facebook for private user information.

The researcher successfully registered the domain name exeterri.gov after posing as the mayor of the Exeter, Rhode Island — a small town with a population of less than 6,500 people.

According to the individual, who reached out to cybersecurity reporter Brian Krebs of Krebs on Security, all they had to do was set up a fake Google Voice number and Gmail address, both completely unaffiliated with the town. After that, they filled out an official authorization form, which basically asks for the same contact information a registrar like GoDaddy or Namecheap would require.

The documents needed to be printed on the town government’s official letterhead, which the researcher obtained by searching for other official Exeter documents online.

According to a town clerk from Exeter, the only inquiry the city received from the GSA came 10 days after the researcher’s fake registration was approved. And the GSA only called Exeter after Krebs on Security asked about the domain.

While the exeterri.gov domain has since been revoked, this case exposes serious flaws in the system that could be used for nefarious purposes.

For example, the researcher was able to sign up for Facebook’s law enforcement subpoena request system, which provides law enforcement and government entities with personal user records.

“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” said the agency in a statement to Krebs on Security.

Before it was taken down, the researcher's .gov domain displayed the same content as the official Exeter website. It’s not hard to imagine someone using the fake site to spread fear through terror alerts, or ruin reputations with false arrest records, or post inaccurate voting information to sway an election.

Sure, that be considered wire fraud or criminal impersonation. But some people — say, foreign entities — might be willing to risk prosecution.

Initially, .gov domain names were only open to federal U.S. institutions. Now they're open to state and local governments. Last month, a bill was introduced in Congress to improve oversight over government domains by the Cybersecurity and Infrastructure Security Agency.