Mass Assignment Vulnerability Exposes Max Verstappen Passport and F1 Drivers PII
6 months ago
- #Vulnerability
- #Cybersecurity
- #Formula1
- Security startups and cybersecurity companies like CrowdStrike, Darktrace, and Bitdefender heavily sponsor Formula 1 events.
- Researchers discovered vulnerabilities in Formula 1 supporting websites, focusing on the FIA Driver Categorisation portal.
- F1 drivers require an FIA Super Licence, and their categorisation (Bronze/Silver/Gold/Platinum) is managed via the FIA portal.
- The FIA portal had a vulnerability allowing privilege escalation via a simple HTTP PUT request to update user roles.
- By manipulating the 'roles' parameter in the JSON response, researchers gained admin access to the FIA portal.
- Admin access revealed sensitive information, including F1 drivers' PII, passport details, resumes, and internal FIA communications.
- The vulnerability was responsibly disclosed to the FIA, leading to a prompt fix and site takedown.