- Safety researchers not too long ago found a severe bug within the FIA web site
- The flaw gave them entry to personally identifiable info of drivers
- To this point, there isn’t any suggestion criminals have accessed the info
Hundreds of thousands of {dollars} is spent on cybersecurity in System 1, however that hasn’t protected the sprots’ drivers from having their private info compromised.
In actual fact, safety researchers Ian Carroll, Gal Nagli, and Sam Curry claim they managed to hack the web site of the game’s FIA governing physique, having access to each single driver’s passport, license, and PII.
Luckily, there’s no evidence this FIA vulnerability was accessed by threat actors, and the flaw has since been fixed, but it does serve as a powerful warning for third-party websites which may think they might be too niche to be targeted.
How did they do it?
The compromise came through the FIA’s driver categorization website, where drivers can apply for their FIA Super License – which drivers need to renew each year if they want to continue in the sport.
Since the portal is public, and anyone can apply, researchers were able to create their own FIA license account, update their details, and edit their own information. But, they noticed when they updated their profile, the server sent them more information that they entered.
For example, If they edited their name and email, the server would send back their name, email, birthdate, and crucially, their ‘role’. The ‘roles’ refer to the access privilege – driver, FIA staff, or admin.
So, in what seems to be a shockingly simple ‘Mass Assignment’ API flaw, the researchers simply changed their access to ‘admin’ – and gained access.
The admin privileges, as you can guess, gave them access to anything and everything. This included all F1 driver applications, along with their uploaded documents such as passports and personal contact information – they could even see internal FIA communications regarding license decisions.
“The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer,” a spokesperson told TechRadar Pro.
“Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations. It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.”
“The FIA has invested extensively in cyber security and resilience measures across its digital estate. It has put world class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.”
In Formula 1, data security is a high-priority. Most teams even have official cybersecurity partnerships – such as Williams and Keeper Security, Bitdefender and Ferrari, and 1Password and Red Bull – which simply outlines that nobody is protected with weak hyperlinks of their distributors, partnerships, or on this case, their governing physique web site.
The most effective ID theft safety for all budgets
Source link
