frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Mass Assignment Vulnerability Exposes Max Verstappen Passport and F1 Drivers PII

https://ian.sh/fia
136•galnagli•3h ago

Comments

intheitmines•2h ago
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
forgotaccount22•1h ago
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.
iancarroll•1h ago
Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.
zozbot234•55m ago
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
luxuryballs•2h ago
well at least it was a password hash :D
dmitrygr•1h ago
Don't get too excited. They never said what kind of hash. Given the rest of the site's security design, might have easily been unsalted md5
Group_B•1h ago
There's probably another rockyou out there waiting to happen
GEBBL•2h ago
Strange, the site is run by an Ian Carroll, but the examples show Sam Curry, who is a very famous bug bounty hunter.
captnasia•1h ago
if you look at his other posts, it looks like they collaborate often.
gregschlom•1h ago
From the post:

"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."

cathalc•1h ago
That is shamefully poor security.
gnerd00•1h ago
wait until you see the party footage
whatever1•1h ago
Just use a framework to build your site. Don’t reinvent the wheel!
ChaseRensberger•1h ago
i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.
AnimalMuppet•1h ago
It can. But it can be very bad at producing wheels that don't break.
adamtaylor_13•1h ago
Not if you understand how the wheel works. That's the whole point.
jonplackett•39m ago
But maybe do that on a smaller scale personal project?
catoc•39m ago
Reinventing the wheel for Formula 1 driving…
dmoy•21m ago
Depending on the wheel, maybe. Nowadays it's more standardized - same rims for example. The tires are standardized.

There's a lot less freedom in reinventing the wheel in formula 1 nowadays

https://www.formula1-dictionary.net/wheels.html

The steering wheel of course isn't even a wheel anymore, for a long time. It's some video game console / airplane cockpit looking monstrosity.

samarthr1•18m ago
I funnily just read a whole Twitter thread that had this same thesis, not 45 minutes ago... What a small world
motorest•1h ago
> Just use a framework to build your site. Don’t reinvent the wheel!

How do you arrive at that conclusion after reading an article on how an API had a broken access control vulnerability?

renewiltord•1h ago
He’s being sarcastic and suggesting using some out of the box rbac thing.
forgotaccount22•1h ago
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
veqq•1h ago
What hash do you use?
scq•1h ago
bcrypt is the industry standard.
zozbot234•1h ago
It's an F1 racing site, their job is literally to move fast and break things. https://xkcd.com/1428/
olyjohn•53m ago
You break things in F1, you lose. Reliability and consistency is key.
LorenDB•1h ago
Ian, it would be great to see an RSS feed on your website if you want to gain another regular reader :)
galnagli•1h ago
Ian is a great writer
heavyset_go•16m ago
Seconding this
jacquesm•1h ago
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hope you got at least free tickets for life out of this.

awesome_dude•32m ago
Rule 1.

NEVER trust user supplied data.

Once that rule was broken, any other rules broken became clear to everyone

mvkel•14m ago
I was blown away while traveling to Europe that -for- GDPR purposes, the property manager of the place we were renting required the passport info of everyone that was staying on the property.

In order to "ensure our information was being handled properly," we needed to hand it over via email, in a shoddy PDF form.

Whatever the intent was of consumer data protection, it has already profoundly been weaponized (at worst), and turned into leaky surface area (at best).

9dev•11m ago
They may have said that process was related to GDPR, but that was either a lie or someone with so little understanding for basic laws that I wonder about their capability to conduct business at all.

Everything about this is prohibited and discouraged under GDPR.

paddleon•13m ago
missed opportunity to grant the authors a F1 super license and get the chance to actually drive one of the cars!

Ovi: Twin backbone cross-modal fusion for audio-video generation

https://github.com/character-ai/Ovi
174•montyanderson•2h ago•43 comments

Willow quantum chip demonstrates verifiable quantum advantage on hardware

https://blog.google/technology/research/quantum-echoes-willow-verifiable-quantum-advantage/
330•AbhishekParmar•6h ago•156 comments

JMAP for Calendars, Contacts and Files Now in Stalwart

https://stalw.art/blog/jmap-collaboration/
182•StalwartLabs•4h ago•66 comments

Mass Assignment Vulnerability Exposes Max Verstappen Passport and F1 Drivers PII

https://ian.sh/fia
138•galnagli•3h ago•35 comments

Why SSA Compilers?

https://mcyoung.xyz/2025/10/21/ssa-1/
37•transpute•1h ago•9 comments

Scripts I wrote that I use all the time

https://evanhahn.com/scripts-i-wrote-that-i-use-all-the-time/
331•speckx•7h ago•111 comments

Element: setHTML() method

https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML
57•todsacerdoti•12h ago•19 comments

InpharmD (YC W21) Is Hiring – NLP Engineer

https://inpharmd.com/jobs/inpharmd-is-hiring-ai-ml-engineer
1•tulasichintha•57m ago

André Gorz, the Theorist Who Predicted the Revolt Against Meaningless Work (2023)

https://znetwork.org/znetarticle/andre-gorz-was-the-theorist-who-predicted-the-revolt-against-mea...
66•robtherobber•6d ago•11 comments

Rivian's TM-B electric bike

https://www.theverge.com/news/804157/rivian-tm-b-electric-bike-price-specs-helmet-quad
72•hasheddan•3h ago•124 comments

Common yeast can survive Martian conditions

https://phys.org/news/2025-10-common-yeast-survive-martian-conditions.html
24•geox•1w ago•6 comments

HP SitePrint

https://www.hp.com/us-en/printers/site-print/layout-robot.html
130•gjvc•4h ago•93 comments

The Tonnetz

https://thetonnetz.com/
31•mci•4d ago•5 comments

MinIO stops distributing free Docker images

https://github.com/minio/minio/issues/21647#issuecomment-3418675115
620•LexSiga•15h ago•368 comments

Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

https://www.botanica.software/blog/cryptographic-issues-in-cloudflares-circl-fourq-implementation
134•botanica_labs•7h ago•64 comments

I see a future in jj

https://steveklabnik.com/writing/i-see-a-future-in-jj/
137•steveklabnik•4h ago•91 comments

Meta is axing 600 roles across its AI division

https://www.theverge.com/news/804253/meta-ai-research-layoffs-fair-superintelligence
393•Lionga•5h ago•298 comments

Galaxy XR: The first Android XR headset

https://blog.google/products/android/samsung-galaxy-xr/
131•thelastgallon•5h ago•142 comments

Linux Capabilities Revisited

https://dfir.ch/posts/linux_capabilities/
154•Harvesterify•8h ago•32 comments

ROG Xbox Ally runs better on Linux than Windows it ships with

https://www.tomshardware.com/video-games/handheld-gaming/rog-xbox-ally-runs-better-on-linux-than-...
103•jrepinc•3h ago•55 comments

Show HN: Cuq – Formal Verification of Rust GPU Kernels

https://github.com/neelsomani/cuq
16•nsomani•2h ago•13 comments

Rethinking CQRS: An Interview on OpenCQRS

https://docs.eventsourcingdb.io/blog/2025/10/23/rethinking-cqrs-an-interview-on-opencqrs/
5•goloroden•1h ago•0 comments

Designing software for things that rot

https://drobinin.com/posts/designing-software-for-things-that-rot/
147•valzevul•23h ago•37 comments

Django 6.0 beta 1 released

https://www.djangoproject.com/weblog/2025/oct/22/django-60-beta-released/
53•webology•2h ago•25 comments

Internet's biggest annoyance: Cookie laws should target browsers, not websites

https://nednex.com/en/the-internets-biggest-annoyance-why-cookie-laws-should-target-browsers-not-...
496•SweetSoftPillow•9h ago•488 comments

Greg Newby, CEO of Project Gutenberg Literary Archive Foundation, has died

https://www.pgdp.net/wiki/In_Memoriam/gbnewby
468•ron_k•12h ago•65 comments

SourceFS: A 2h+ Android build becomes a 15m task with a virtual filesystem

https://www.source.dev/journal/sourcefs
107•cdesai•9h ago•49 comments

The security paradox of local LLMs

https://quesma.com/blog/local-llms-security-paradox/
116•jakozaur•9h ago•77 comments

Show HN: Create interactive diagrams with pop-up content

https://vexlio.com/features/interactive-diagrams-with-popups/
24•ttd•7h ago•0 comments

Die shots of as many CPUs and other interesting chips as possible

https://commons.wikimedia.org/wiki/User:Birdman86
196•uticus•5d ago•36 comments