- Security researchers recently discovered a serious bug in the FIA website
- The flaw gave them access to personally identifiable information of drivers
- So far, there's no suggestion criminals have accessed the data
Millions of dollars is spent on cybersecurity in Formula 1, but that hasn’t protected the sprots' drivers from having their personal information compromised.
In fact, security researchers Ian Carroll, Gal Nagli, and Sam Curry claim they managed to hack the website of the sport's FIA governing body, gaining access to every single driver’s passport, license, and PII.
Luckily, there’s no evidence this FIA vulnerability was accessed by threat actors, and the flaw has since been fixed, but it does serve as a powerful warning for third-party websites which may think they might be too niche to be targeted.
How did they do it?
The compromise came through the FIA’s driver categorization website, where drivers can apply for their FIA Super License - which drivers need to renew each year if they want to continue in the sport.
Since the portal is public, and anyone can apply, researchers were able to create their own FIA license account, update their details, and edit their own information. But, they noticed when they updated their profile, the server sent them more information that they entered.
For example, If they edited their name and email, the server would send back their name, email, birthdate, and crucially, their ‘role’. The ‘roles’ refer to the access privilege - driver, FIA staff, or admin.
So, in what seems to be a shockingly simple ‘Mass Assignment’ API flaw, the researchers simply changed their access to ‘admin’ - and gained access.
The admin privileges, as you can guess, gave them access to anything and everything. This included all F1 driver applications, along with their uploaded documents such as passports and personal contact information - they could even see internal FIA communications regarding license decisions.
“The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer," a spokesperson told TechRadar Pro.
"Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations. It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident."
“The FIA has invested extensively in cyber security and resilience measures across its digital estate. It has put world class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.”
In Formula 1, data security is a high-priority. Most teams even have official cybersecurity partnerships - such as Williams and Keeper Security, Bitdefender and Ferrari, and 1Password and Red Bull - which just outlines that no one is safe with weak links in their vendors, partnerships, or in this case, their governing body website.
➡️ Read our full guide to the best identity theft protection
1. Best overall:
Aura
2. Best for families:
IdentityForce
3. Best for credit beginners:
Experian IdentityWorks
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.