Every Formula 1 driver on the grid just had their passport and license
details leaked - but it could have been so much worse
Date:
Thu, 23 Oct 2025 19:17:00 +0000
Description:
Security researchers claim to have tricked the FIA into giving them admin privileges.
FULL STORY ======================================================================Security
researchers recently discovered a serious bug in the FIA website The flaw gave them access to personally identifiable information of drivers So far, there's no suggestion criminals have accessed the data
Millions of dollars is spent on cybersecurity in Formula 1, but that hasnt protected the sprots' drivers from having their personal information compromised.
In fact, security researchers Ian Carroll, Gal Nagli, and Sam Curry claim
they managed to hack the website of the sport's FIA governing body, gaining access to every single drivers passport, license, and PII.
Luckily, theres no evidence this FIA vulnerability was accessed by threat actors, and the flaw has since been fixed, but it does serve as a powerful warning for third-party websites which may think they might be too niche to
be targeted. How did they do it?
The compromise came through the FIAs driver categorization website, where drivers can apply for their FIA Super License - which drivers need to renew each year if they want to continue in the sport.
Since the portal is public, and anyone can apply, researchers were able to create their own FIA license account, update their details, and edit their
own information. But, they noticed when they updated their profile, the
server sent them more information that they entered.
For example, If they edited their name and email, the server would send back their name, email, birthdate, and crucially, their role. The roles refer to the access privilege - driver, FIA staff, or admin.
So, in what seems to be a shockingly simple Mass Assignment API flaw, the researchers simply changed their access to admin - and gained access.
The admin privileges, as you can guess, gave them access to anything and everything. This included all F1 driver applications, along with their uploaded documents such as passports and personal contact information - they could even see internal FIA communications regarding license decisions.
The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer," a spokesperson told TechRadar Pro .
"Immediate steps were taken to secure drivers data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIAs obligations. It has also notified the small number of drivers impacted
by this issue. No other FIA digital platforms were impacted in this
incident."
The FIA has invested extensively in cyber security and resilience measures across its digital estate. It has put world class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.
In Formula 1, data security is a high-priority. Most teams even have official cybersecurity partnerships - such as Williams and Keeper Security , Bitdefender and Ferrari, and 1Password and Red Bull - which just outlines
that no one is safe with weak links in their vendors, partnerships, or in
this case, their governing body website.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/every-formula-1-driver-on-the-grid-just -had-their-passport-and-license-details-leaked-but-it-could-have-been-so-much- worse
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)