Three Formula 1 fans hacked into the International Automobile Federation (FIA) and found a serious vulnerability in the federation’s licensing system.
The FIA has confirmed that hackers briefly gained access to data in the organization’s driver license portal, including Max Verstappen’s passport. The security breach has since been closed in collaboration with the hackers.
The incident occurred in the summer when three hackers—Gal Nagli, Sam Curry, and Ian Carroll—breached the FIA’s Driver Categorization Portal. Although the successful access took place several months ago, the hackers only made their discovery public this week via social media.
The group, all of whom are Formula 1 fans, emphasized that they had no malicious intent. Their goal was to uncover vulnerabilities in the FIA’s IT infrastructure in order to make the “entire ecosystem more secure.”
Access to driver classification system
The area affected was the system used by the FIA to manage driver classifications. While Formula 1 drivers require a super license, classification as gold, silver, or bronze is crucial for other racing series, especially in endurance racing.
The FIA manages these classifications via the portal, where drivers can also submit requests for a status change – for example, from gold to silver, which can be advantageous in series with mandatory silver drivers.
Increased admin rights enabled data access
The hackers first created a profile on the FIA portal and used JavaScript to determine that they could change their user role. The system distinguished between drivers, FIA employees, and administrators—the latter with the highest privileges.
Through a special request, they successfully managed to increase their access rights to admin level. After logging in again, a completely different user interface opened up for them, including the internal FIA dashboard for driver classification.
To verify access, they downloaded a single driver profile as a test. This showed them the password, email address, phone number, passport details, and internal communications between the FIA and the driver.
All Formula 1 drivers were also listed in the system. The hackers noticed that Max Verstappen’s passport details would have been accessible in principle. However, they emphasized that they ended their tests at this point and did not view or store any sensitive information.
FIA responded immediately
After discovering the vulnerability on June 3, the hackers immediately notified the FIA. The association took the site offline on the same day and worked with the group to find a sustainable solution. On June 10, the FIA confirmed that the error had been fixed.
An FIA spokesperson told Motorsport.com in Mexico: “The FIA became aware of a cyber incident involving the driver classification website during the summer. Immediate action was taken to secure the drivers’ data.”
“The FIA reported the incident to the relevant data protection authorities in accordance with its obligations and informed the few drivers affected. Other FIA digital platforms were not affected.”
It went on to say: “The FIA has invested significantly in cybersecurity and resilience measures. It has state-of-the-art data security precautions in place to protect all stakeholders and pursues a consistent security-by-design strategy for new digital projects.”
The case underscores how important IT security measures have become, even for large sports associations such as the FIA.
