Mass Assignment Vulnerability Exposes Max Verstappen Passport and F1 Drivers PII
38 comments
·October 22, 2025jacquesm
awesome_dude
Rule 1.
NEVER trust user supplied data.
Once that rule was broken, any other rules broken became clear to everyone
LorenDB
Ian, it would be great to see an RSS feed on your website if you want to gain another regular reader :)
heavyset_go
Seconding this
galnagli
Ian is a great writer
paddleon
missed opportunity to grant the authors a F1 super license and get the chance to actually drive one of the cars!
mvkel
I was blown away while traveling to Europe that -for- GDPR purposes, the property manager of the place we were renting required the passport info of everyone that was staying on the property.
In order to "ensure our information was being handled properly," we needed to hand it over via email, in a shoddy PDF form.
Whatever the intent was of consumer data protection, it has already profoundly been weaponized (at worst), and turned into leaky surface area (at best).
9dev
They may have said that process was related to GDPR, but that was either a lie or someone with so little understanding for basic laws that I wonder about their capability to conduct business at all.
Everything about this is prohibited and discouraged under GDPR.
forgotaccount22
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
zozbot234
It's an F1 racing site, their job is literally to move fast and break things. https://xkcd.com/1428/
olyjohn
You break things in F1, you lose. Reliability and consistency is key.
intheitmines
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
zozbot234
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
forgotaccount22
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.
iancarroll
Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.
GEBBL
Strange, the site is run by an Ian Carroll, but the examples show Sam Curry, who is a very famous bug bounty hunter.
gregschlom
From the post:
"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
captnasia
if you look at his other posts, it looks like they collaborate often.
null
whatever1
Just use a framework to build your site. Don’t reinvent the wheel!
ChaseRensberger
i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.
catoc
Reinventing the wheel for Formula 1 driving…
dmoy
Depending on the wheel, maybe. Nowadays it's more standardized - same rims for example. The tires are standardized.
There's a lot less freedom in reinventing the wheel in formula 1 nowadays
https://www.formula1-dictionary.net/wheels.html
The steering wheel of course isn't even a wheel anymore, for a long time. It's some video game console / airplane cockpit looking monstrosity.
samarthr1
I funnily just read a whole Twitter thread that had this same thesis, not 45 minutes ago... What a small world
jonplackett
But maybe do that on a smaller scale personal project?
AnimalMuppet
It can. But it can be very bad at producing wheels that don't break.
adamtaylor_13
Not if you understand how the wheel works. That's the whole point.
motorest
> Just use a framework to build your site. Don’t reinvent the wheel!
How do you arrive at that conclusion after reading an article on how an API had a broken access control vulnerability?
renewiltord
He’s being sarcastic and suggesting using some out of the box rbac thing.
luxuryballs
well at least it was a password hash :D
dmitrygr
Don't get too excited. They never said what kind of hash. Given the rest of the site's security design, might have easily been unsalted md5
Group_B
There's probably another rockyou out there waiting to happen
huflungdung
[dead]
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hope you got at least free tickets for life out of this.