- Security researchers recently discovered a serious error on the FIA website
- The flaw gave them access to drivers’ personally identifiable information.
- So far, there is no indication that criminals have accessed the data.
Millions of dollars are spent on cybersecurity in Formula 1, but that has not protected drivers from having their personal information compromised.
In fact, security researchers Ian Carroll, Gal Nagli and Sam Curry claim they managed to hack the website of the sport’s governing body FIA, gaining access to each of the drivers’ passport, license and personal identification information.
Fortunately, there is no evidence that threat actors have accessed this FIA vulnerability, and the flaw has since been fixed, but it serves as a powerful warning to third-party websites who may think they might be too targeted to be attacked.
How did they do it?
The commitment came through the FIA driver categorization website, where drivers can apply for their FIA Super Licence, which drivers must renew each year if they want to continue in the sport.
Since the portal is public and anyone can apply, researchers were able to create their own FIA license account, update their details and edit their own information. But they noticed that when they updated their profile, the server sent them more information than they entered.
For example, if they edited their name and email, the server would return their name, email, date of birth, and most importantly, their “role.” ‘Roles’ refer to access privilege: driver, FIA staff or administrator.
So, in what appears to be a surprisingly simple ‘Bulk Assignment’ API flaw, the researchers simply changed their access to ‘admin’ and gained access.
Administrator privileges, as you can guess, gave them access to anything. This included all F1 driver applications, along with uploaded documents such as passports and personal contact information; They could even see the FIA’s internal communications about licensing decisions.
“The FIA was made aware of a cyber incident related to the FIA Driver Categorization website during the summer,” a spokesperson said. TechRadar Pro.
“Immediate action was taken to protect driver data and the FIA reported this issue to the relevant data protection authorities in accordance with FIA obligations. It also notified the small number of drivers affected by this issue. No other FIA digital platforms were affected by this incident.”
“The FIA has invested heavily in cybersecurity and resilience measures across its digital estate. It has implemented world-class data security measures to protect all its stakeholders and implements a security by design policy across all new digital initiatives.”
In Formula 1, data security is a high priority. Most teams even have official cybersecurity partnerships, such as Williams and Keeper Security, Bitdefender and Ferrari, and 1Password and Red Bull, which simply highlights that no one is safe with weak links in their suppliers, partnerships or, in this case, their governing body’s website.
The best identity theft protection for every budget
