We found a way to access Max Verstappen's passport, driver's license, and personal information. Along with every other @Formula1 driver's sensitive data. It took us 10 minutes using one simple security flaw π§΅
Together with @samwcyo and @iangcarroll - all 3 of us being avid Formula1 Fans, we were looking at the security of the whole ecosystem. That's how we stumbled upon a severe vulnerability in a critical portal managed by the @fia, that was reported and fixed in <24 hours.
To race in F1, drivers need an FIA Super Licence - the golden ticket of motorsport. The @fia (@F1 1's governing body) also categorizes drivers as Bronze/Silver/Gold/Platinum for other racing events. This is managed through a web portal - https://driverscategorisation....
The portal is public - anyone can create an account to apply for driver categorization. You upload documents, submit your racing history, and wait for approval. Same goes for professional F1 drivers - They get automatic Platinum status and use the same system.
We created a test account to poke around. Like any website, you can update your profile - change your name, email, etc. Nothing special. Just a normal user editing their own information. But then we noticed something interesting...
When we sent a request to update our profile, the server sent back MORE information than we gave it. We sent: name and email We got back: name, email, birthdate, status, and... a field called "roles" Why would the server tell us about roles? π€
We looked at the website's code and found different role types: DRIVER (regular users) FIA_STAFF (employees) ADMIN (full access) We had a theory: What if we just... asked to be an admin? Would the server actually check? Or just trust us?
We modified our profile update to include: "Make me an ADMIN" (Technically: added an ADMIN role to the JSON request) Hit send. Got back: HTTP 200 Success Wait... did that actually work? (Yes it did...)
We logged back in. The entire interface changed. We weren't seeing a driver's dashboard anymore. We were seeing the ADMINISTRATOR panel - with access to: Every driver application All uploaded documents Internal FIA comments Staff management tools
We could also see internal FIA communications: Committee discussions about driver performance, private evaluations, and confidential decision-making processes. Everything the FIA staff could see - we could see. One request turned us from users into administrators.
For the sake of it we looked up Max Verstappen's @Max33Verstappen profile, which allowed to download His passport His personal contact info His FIA correspondence His license documents
Important Clarification - We did NOT download or save any passports or sensitive personal information. We validated the vulnerability existed, took screenshots for proof, and immediately stopped testing. All test data was deleted. No driver information was compromised by us.
So what was the bug? It's called "Mass Assignment" - a classic web / api security flaw. In simple terms: The server trusted whatever we sent it, without checking if we were ALLOWED to change those fields.
We worked with the @fia to promptly fix the issue, Shoutout to their team for the rapid response and taking the matter seriously.
To read more about our work, and next blogs to come - follow along @samwcyo, @iangcarroll and check our blog post π https://x.com/iangcarroll/stat... http://ian.sh/fia Thank you for your attention π«‘
@samwcyo @iangcarroll direct blog link - http://ian.sh/fia