Bug enables researchers to access F1 race drivers’ information via FIA portal

Published: 27 October 2025
Last updated: 28 October 2025
F1-formula-monitor

Three security researchers gained access to the FIA's internal systems, allowing them to access the personal data of F1 drivers, including Max Verstappen. The bug has since been fixed.

In order to participate in Formula 1 races, drivers must acquire a so-called FIA Super License. The license is issued by the FIA upon request and imposes various requirements on drivers.

However, F1 drivers often also compete in races other than Formula 1. When applying for other races, the FIA has a separate portal called Driver Categorization. The system differs from the FIA Super License, but many race drivers appear in both systems because they also have an active F1 Super License.

ADVERTISEMENT

Drivers must create an account on the website and then submit an application to the FIA. This requires uploading many documents containing personally identifiable information, including their passports, driver’s licenses, and the results of previous race participations.

FIA-account-contains
Image by Cybernews.

Security researchers Gal Nagli, Sam Curry, and Ian Carroll investigated the FIA’s Driver Categorization portal. They claimed that they thought it would be “fun to try and hack some of the different supporting websites for the Formula 1 events.”

After creating an account, the researchers discovered a simple HTTP PUT request used to update their profiles. The HTTP request didn’t contain many interesting attributes. However, the JSON response had many extra values, including a “roles” parameter.

“Based on the JavaScript, there were a number of different roles on the website that were intended to be used by drivers, FIA staff, and site administrators. The most interesting one was obviously admin, so we guessed the correct HTTP PUT request format to try and update our roles based on the JavaScript,” the security researchers say.

This gave them the role of administrator, allowing them to view all kinds of personal information about F1 drivers, including passports, email addresses, phone numbers, resumes, password hashes, and other personally identifiable information.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“Additionally, we could load all internal communications related to Driver Categorization, including comments about their performance and committee-related decisions,” Nagli, Curry, and Carroll found out.

ADVERTISEMENT

When they noticed they could access Max Verstappen’s passport, resume, license, and password hash, the researchers stopped testing.

According to the disclosure timeline, the FIA was informed on June 3rd. The website was taken offline that same day. Three days later, a comprehensive fix was implemented.

“The FIA became aware of a cyber incident involving the FIA Driver Categorization website over the summer. Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations. It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident,” an FIA spokesperson told PlanetF1 in a response.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT