Accessing Max Verstappen's passport and PII through FIA bugs (opens in new tab)

I hope you never handle other people's PII with that attitude. It should well and beyond be treated more securely by a company collecting it than some random person's house or individual set up, there are laws about this.

Sure, hate on the person pointing at the fire instead of the people holding the matches.

If you aren’t prepared to face criticism after a failure, you shouldn’t participate in a professional environment. Without people pointing out where it went wrong you’ll never j ow what to improve upon. Because if you knew, and chose not to act..now that would be a whole new level of incompetence.

Security has to be the #1 priority in computing, unlike your house which probably doesn't need to be fortified like a prison. The reason is that unlike your house, a computer system is exposed to 8 billion people at all times, and maybe 7 billion of them will face no consequences if they break in and steal your stuff.

That's what you choose for yourself.

How do you feel if that's also what your bank chooses for you?

I get told at least a couple of times every month that security and business continuity are a complete waste of time for your average company. So this isn't post-hoc, it is more like 'the dumb fucks don't even practice the basics and they could - and should - have known better'.

I wonder how much the FIA being European affected the response. Would they have been as quick to react if they were American and knew they'd only be facing a relatively small class-action settlement?

Some additional relevant information:

When the changes that toughened the § 202 StGB were made in 2007, there were a lot of public rallies against it in which many programmers participated. These were ignored by the politicians in power. This (together with other worrying political events) even lead to a temporary upcoming of a new party (Piratenpartei) in Germany.

The fact that these rallies were ignored by the politicians in power lead to the situation that from then on by many programmers the German politicians got considered to be about as trustworthy as child molesters who have relapsed several times.

Lesson: instead of being the good guy and reporting shit, just sell it on black market.

Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.

[0] https://www.justice.gov/archives/opa/pr/department-justice-a...

Without any sort of formally posted bug bounty program explicitly authorizing this sort of activity the CFAA prohibits unauthorized access of "protected computers". I would classify this as legally risky. If FIA had a stick up their ass they could definitely come after the researcher. The researcher's ethical standing is pretty clean in my book, but this was definitely a little more than just changing a URL parameter (only a little more). I would say this is unsafe to do if you are in the united states. The stopping point was somewhere around "I think I could provide the admin role" and reaching out to the best contact you can find and say "Hey, I am an ethical white hat security researcher and I noticed X and Y and in my experience when I see this there is a pretty reasonable chance this privilege escalation vulnerability exists. The chance it exists is high enough in my experience that you should treat it like it exists and examine your authorization code. If you would like I can validate this on my end as well if you give me permission to examine this issue. I am an ethical security researcher" ---> point over to your website and disclosed issues if you got em. To just do it is ehh... I would not take the risk. However if I /did/ do it I would definitely disclose it to them immediately and give an explanation like the above. Shooting the messenger in this case would be pretty asinine, especially if they didn't access anything sensitive, that would preclude FIA from having any evidence you did anything sketchy (cause you did not). The reason I would not do it is because you never know if a system like this pre-fetches data, etc. and that is definitely opening you up to liability of possessing PII etc. Overall, I have disclosed issues like this in the past without actually exploiting the issue to good results. Some times companies ignore it. You can always say "If you do not want to treat this issue as a vulnerability I am going to write this up on my website as an example of things you should probably not do" if you feel ethically compelled to force them to change without actually exploiting the issue. People tend to get the message and do something.

... so you'd prefer that the only people doing this will be black-hat hackers who then sell the information on the black market?

> while they don’t care personally whether the site is vulnerable - otherwise they wouldn’t have let such a basic vulnerability slip through

Even if they do care personally (which I would assume is often the case if the respect person is not an ignorant careerist), they often don't have the

- organizational power

- (office-)political backing

- necessary very qualified workforce

to be capable of deeply analyzing every line of code that gets deployed. :-(

This seems depressingly common in universities. I know of a case where someone discovered anyone with a university account (so students, etc.) can edit DNS, and the IT tried to file charges until the head of CS department intervened.

Decline because it'd mean you were profiting off of a crime? Or that the opportunity of publishing has higher value than the bribe?

Thanks, its cool to hear attitudes have changed.

bcrypt is the industry standard.

im 1337 - I use plain text stored in a public s3 bucket

yescrypt is very common these days, default in Debian

No, this is the FIA[1], not Formula 1. They are very very different organizations.

[1] https://en.wikipedia.org/wiki/F%C3%A9d%C3%A9ration_Internati... https://en.wikipedia.org/wiki/Formula_One_Group

You break things in F1, you lose. Reliability and consistency is key.

Or maybe rot26 — I've heard it's twice as secure as rot13!

>Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.

I don't even call it data anymore. I call it datain't.

You'd think but I keep meeting even "experienced" technical leadership that have been at this for a while that there's no way to get around validation and security that's implemented in client code.

> You'd think that client side security would be something that we'd gotten over by now.

Well, we have passkeys. /s

I doubt there are many people in rich countries that follow this rule, given that smartphones are networked computers and people don't want their personal photos to he publicly accessible.

He’s being sarcastic and suggesting using some out of the box rbac thing.

Great to reinvent the wheel for your mom and pop blog, or to teach yourself these concepts and try to break in. But not for authn and authz for something official like this.

But maybe do that on a smaller scale personal project?

Reinventing the wheel for Formula 1 driving…

It can. But it can be very bad at producing wheels that don't break.

I funnily just read a whole Twitter thread that had this same thesis, not 45 minutes ago... What a small world