Threat Modeling the FIA Driver Categorization Application that Allowed Unauthorized Access to Max Verstappen’s Passport and PII

nick

Threat Modeling the FIA Driver Categorization Application that Allowed Unauthorized Access to Max Verstappen’s Passport and PII

by

Ian Carroll, Sam Curry, Gal Nagli published an interesting article about their ethical hacking of the FIA Driver Categorization application. They identified a weakness which allowed an attacker to change their user type from a normal user to an admin user, which allows the attacker to view Max Verstappen’s (and other F1 drivers) PII (Personally Identifiable Information) such as passport, resume, drivers license, and more.

I won’t repeat all the details of the article, so I suggest you read it first!

Note: This threat modeling analysis is based on publicly available information. Publicly available information may differ from what actually occurred. Further, new information may be disclosed as it is discovered and published.

Results of the threat modeling in an exported video:

Here’s a short summary of the (ethical) attack that was successful:

  • Log into the application as a user.
  • Go to the Update Profile page.
  • Modify the Update Profile request to include a role of type Admin, which is accepted by the application.
  • The user is now an Administrator.
  • View sensitive driver personal information, such as passport, drivers license, etc.

What weaknesses (threats) and fixes (requirements) can we learn from this:

  • Weakness & Requirement 1: The Update Profile feature listens to user (and attacker) requests to change the User Type to Admin. The application should filter such requests and not allow updating the User Type, unless explicitly required (i.e., by an existing Admin).
  • Weakness & Requirement 2: The Admin Dashboard is accessible from the Internet. It should only be accessible from a trusted network, or via an out-of-band connection.
  • Weakness & Requirement 3: The application has a lot of Personal Identifiable Information, e.g., a passport & drivers license. This is excessive and not required of the purposes of the application, or some data should be purged when no longer required.
  • Weakness & Requirement 4: Admin actions do not seem to be logged and monitored for Admin account creation, nor usage. If a new Admin account is created it should confirm/warn other Admins and SOC analysts of its occurrence.

Threat Modeling and Security by Design

Powered by Aristiun.com

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2025

© Threat-Modeling.com powered by Aristiun.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!