"We found a way to access Max Verstappen's passport, driver's license, and personal information. Along with every other Formula 1 driver's sensitive data. It took us 10 minutes using one simple security flaw 👇 Together with Ian Carroll ( Seats.aero founder) and Sam Curry (Independent security researcher) we discovered a Mass Assignment vulnerability in the FIA - Fédération Internationale de l'Automobile Driver Categorization Portal, which allowed us to become administrators in their system."
"With security startups getting flooded with VC funding in the past few years, some of the biggest networking events have centered themselves around the Formula 1 Grand Prix. Companies like CrowdStrike and Darktrace spend millions of dollars sponsoring teams, while others like Bitdefender have official partnerships to be a racing team's cybersecurity partner. Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
Security startups and cybersecurity vendors have become prominent sponsors and partners of Formula 1 teams and events. Researchers Gal Nagli, Sam Curry, and Ian Carroll investigated supporting event websites for security weaknesses. A Mass Assignment vulnerability in the FIA Driver Categorization Portal enabled escalation to administrator privileges. The flaw granted access to sensitive personal documents, including passports and driver's licenses for Max Verstappen and other drivers. The exploit required roughly ten minutes to perform. The discovery is presented as part one of a three-part series detailing vulnerabilities affecting Formula 1 systems.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]