As a loooong-time F1 fan and a breach blogger, of course I had to read this report on hacking F1.
Introduction
With security startups getting flooded with VC funding in the past few years, some of the biggest networking events have centered themselves around the Formula 1 Grand Prix. Companies like CrowdStrike and Darktrace spend millions of dollars sponsoring teams, while others like Bitdefender have official partnerships to be a racing team’s cybersecurity partner.
Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events.
This blog is part 1 of 3 in a series of vulnerabilities found in Formula 1.
Gal Nagli previews it all on LinkedIn:
We found a way to access Max Verstappen’s passport, driver’s license, and personal information. Along with every other Formula 1 driver’s sensitive data.
It took us 10 minutes using one simple security flaw 👇
Together with Ian Carroll (Seats.aero founder) and Sam Curry (Independent security researcher) we discovered a Mass Assignment vulnerability in the FIA – Fédération Internationale de l’Automobile Driver Categorization Portal, which allowed us to become administrators in their system.
Now that they have your attention, read Part 1 of the series for the details at ian.sh.