Max Verstappen and others

Security vulnerability exposed Formula 1 driver data

Verstappen
image source: QIAN JUN / Shutterstock.com
LinkedInRedditWhatsApp

A security flaw in the FIA’s IT systems allowed three security researchers to access confidential information, including personal data belonging to Max Verstappen and other Formula 1 drivers.

While the vulnerability has since been patched, the incident highlights the risks associated with digital management platforms in motorsport.

Ad

FIA Super license and Driver Categorization

Formula 1 drivers require an FIA Super License to compete in races. Additionally, many F1 drivers participate in other racing events, for which the FIA operates a separate portal called Driver Categorization.

This portal requires users to create an account and upload numerous documents, including passports, driving licenses, and race results. Through this system, sensitive personal information such as contact details, qualifications, and previous racing performance data is collected and managed.

Discovery of the security flaw

Researchers Gal Nagli, Sam Curry, and Ian Carroll examined the portal and identified a weakness in the HTTP communication. A simple HTTP PUT command used for profile updates allowed them to gain administrator privileges through a role function.

Ad

This access enabled them to view extensive driver data, including passport information, email addresses, phone numbers, résumés, and password hashes. They were also able to access internal communications related to the Driver Categorization system, including driver evaluations and committee decisions. When the researchers realized they could access Max Verstappen’s data, they immediately ceased their testing.

FIA’s response

The FIA was notified of the incident on June 3rd and took the website offline the same day. Three days later, a comprehensive fix was implemented. An FIA spokesperson emphasized that immediate steps were taken to protect driver data. The relevant data protection authorities were also informed, and affected drivers were notified. Other FIA digital platforms were not impacted.

The incident underscores the importance of security testing and continuous monitoring of administrative portals, particularly when they contain highly sensitive personal data. Even in professional sports, organizations must rely on robust IT security measures to prevent data breaches.


Pauline

Dornig

Online-Redakteurin

IT Verlag GmbH

Pauline Dornig joined the IT Verlag team as an online editor in May 2020. (pd)
Ad

Weitere Artikel

Microsoft Teams will soon show who’s in the office and who isn’t
Hackers create fake versions of Perplexity’s browser Comet
Marks & Spencer parts ways with IT service provider TCS
ChatGPT down: Users report widespread outages