- Digital Trust in Danger: When Authorities Forget Their Old Domains
- Federal Office for Refugees
- Old References as a Persistent Security Risk
- Lack of Transparency and Missing Rules
The renaming of a federal agency requires not only the replacement of signs and letterheads but also that of the associated internet address. If such formerly state-used domains are abandoned after some time, this can lead to significant security problems.
Due to their history, these addresses continue to enjoy high trust, are linked in academic papers or by news media, and are easily found in search engines. T…
- Digital Trust in Danger: When Authorities Forget Their Old Domains
- Federal Office for Refugees
- Old References as a Persistent Security Risk
- Lack of Transparency and Missing Rules
The renaming of a federal agency requires not only the replacement of signs and letterheads but also that of the associated internet address. If such formerly state-used domains are abandoned after some time, this can lead to significant security problems.
Due to their history, these addresses continue to enjoy high trust, are linked in academic papers or by news media, and are easily found in search engines. These factors make them an ideal target for fraudsters and disseminators of disinformation. Under former government web addresses, one can now find advertisements for illegal gambling, online casinos, betting providers, and even malware.
Federal Office for Refugees
A striking example of this is the old domain of today’s Federal Office for Migration and Refugees (Bundesamt für Migration und Flüchtlinge, BAMF), which until 2005 was still called the Federal Office for the Recognition of Foreign Refugees (Bundesamt für die Anerkennung ausländischer Flüchtlinge, BAFl). After the renaming, the address changed from bafl.de to bamf.de. Although the old URL redirected to the new one for years, it was eventually abandoned. In 2025, IT security researcher Tim Philipp Schäfers discovered that bafl.de was again available for registration. Previously, a strange but seemingly harmless website with questionable information about asylum issues had temporarily resided there.
Schäfers, who had already uncovered bizarre test accounts at the BAMF, secured the domain, according to a report now published. He surprisingly found that requests were still being sent from federal networks to bafl.de. This infrastructure connects authorities and thousands of employees.
This indicated that internal IT systems – possibly due to misconfiguration – continued to access the no longer controlled address automatically. According to the discoverer, such persistent anchoring in systems poses a significant security risk. Attackers could spy on information about the internal IT infrastructure through the constant requests and, in the worst case, manipulate systems.
Old References as a Persistent Security Risk
Although the Federal Office for Information Security (BSI) and the BAMF reacted to the security expert’s report and initiated the deletion of the reference to bafl.de from all configurations at ITZBund, the automated requests did not stop. The incident underscores that a domain should only be released when it is ensured that it is no longer used internally on any system. The BAMF shared this assessment retrospectively, according to Netzpolitik.org. It intends to pay more attention to continuing to register unused domains for security reasons.
A response from the federal government to an inquiry by the Left Party proves that this is not an isolated case. According to the response, several domains formerly used by ministries or their subordinate agencies were registered by third parties and misused. One example is an old URL of the Ministry of Agriculture. Today, it still provides information about bioenergy crops but displays links to gambling and betting providers.
The Federal Institute for Public Health (BIÖG), formerly the Federal Centre for Health Education, also struggles with unused domains from previous health campaigns. These now also link to illegal online casinos. Another domain, once used for children’s songs, even distributes malware. While some ministries reported such cases, others simply signaled "nothing to report." This seems unbelievable given the scale of federal domain management and the BAFl case.
Lack of Transparency and Missing Rules
Left Party Member of Parliament Donata Vogtschmidt laments a "total failure" in securing trustworthy web presences. Vogtschmidt considers the situation insufficient because, according to the government, there are no uniform rules for handling no longer needed domains: Responsibility lies with the respective agency.
The government refuses to disclose a systematic list of all domains held by the federal government and their costs, as this could endanger the security of the Federal Republic. This secrecy hinders internal inventory management as well as external transparency and necessary security research. Estimates of the number of domains with government content run into the thousands, highlighting the scale of the potential security problem.
To build trust and prevent misuse from the outset, the consistent use of subdomains under bund.de or the new digital umbrella brand gov.de could help. The latter, intended to identify official websites, is still in its pilot phase and is not mandatory. According to IT experts, consistent domain management, strong authentication, and control instead of secrecy would be more effective in making the federal government’s digital presences more resilient against misuse.
(wpl)
Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.
This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.