Overview
- Three security researchers — Gal Nagli, Sam Curry and Ian Carroll — reported on June 3 that modifying a user’s roles field granted full administrator access to driverscategorisation.fia.com.
- The elevated access exposed passports, licences, CVs, hashed passwords and internal correspondence for pilots, including viewing Max Verstappen’s profile, according to the researchers.
- The researchers say they limited testing to screenshots and did not exfiltrate sensitive data, characterizing their actions as responsible disclosure.
- The FIA says it took the site offline the day it was alerted, applied a comprehensive patch by June 10, notified relevant data-protection authorities and informed a small number of affected pilots.
- The federation states no other FIA platforms were impacted, it has strengthened cybersecurity under a security-by-design policy, and public disclosure on October 22 prompted renewed media scrutiny near the Mexico Grand Prix.