Mass Assignment Vulnerability Exposes Max Verstappen Passport and F1 Drivers' PII

The Formula 1 Grand Prix has become a major player in the cybersecurity world, with top security startups like CrowdStrike and Darktrace pouring millions of dollars into sponsoring teams. However, this influx of investment has also led to increased concerns about data protection and privacy.

Recently, our team of cybersecurity experts conducted an experiment to test the vulnerabilities of some of the supporting websites for the Formula 1 events. With our airline miles and connections in the cybersecurity vendor community, we were able to attend these events and get hands-on experience with the systems in question.

A Simple Vulnerability with Significant Consequences

The FIA portal at drivercategorisation.fia.com is a system used by drivers to request or update their Bronze/Silver/Gold/Platinum status and submit results for review. While this system is separate from the Super Licence, many F1 drivers appear in both and receive automatic Platinum status.

After creating an account with an email and password, we discovered a simple HTTP PUT request that was used to update our user profile. The JSON response contained a "roles" parameter, which could potentially be exploited if the request was vulnerable to mass assignment.

The Bug was Simple, But the Consequences were Devastating

We began investigating the JavaScript code for any logic related to this parameter and found that there were multiple different roles on the website intended for drivers, FIA staff, and site administrators. The most intriguing one was obviously "admin", so we guessed the correct HTTP PUT request format to try and update our roles.

Our test worked exactly as predicted. The HTTP response showed that the update was successful, and we now held the administrator role for the website. We reauthenticated in order to refresh our session, and upon logging in, we were shown an entirely new dashboard intended for FIA administrators.

A Dashboard with Full Access to Driver PII

We seemed to have full admin access to the FIA driver categorization website. To validate our finding, we attempted to load a driver's profile and observed the user's password hash, email address, phone number, passport, resume, and all related PII.

Additionally, we could load all internal communications related to driver categorisation, including performance evaluations and committee decisions. We even managed to access Max Verstappen's passport, resume, license, password hash, and other sensitive information of F1 drivers with a categorization.

A Sensitive Data Breach Awaits

The data we accessed could be shared for all F1 drivers with a categorization alongside internal FIA operations. We must emphasize that we did not access any passports or sensitive information and have deleted all the data in question.

A Cautionary Tale for Cybersecurity

This vulnerability highlights the importance of robust security measures and regular testing to prevent similar breaches in the future. As cybersecurity experts, it's our responsibility to sound the alarm and ensure that such incidents are not repeated.