Most active commenters
  • jacquesm(3)

←back to thread

Accessing Max Verstappen's passport and PII through FIA bugs

(ian.sh)
396 points galnagli | 13 comments | 22 Oct 25 18:21 UTC | HN request time: 0.449s | source | bottom
1. jacquesm ◴[22 Oct 25 20:48 UTC] No.45674947[source]
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hope you got at least free tickets for life out of this.

replies(1): >>45675356 #
2. awesome_dude ◴[22 Oct 25 21:25 UTC] No.45675356[source]
Rule 1.

NEVER trust user supplied data.

Once that rule was broken, any other rules broken became clear to everyone

replies(2): >>45676139 #>>45676989 #
3. jacquesm ◴[22 Oct 25 22:49 UTC] No.45676139[source]
You'd think that client side security would be something that we'd gotten over by now.
replies(1): >>45677562 #
4. nradov ◴[23 Oct 25 00:51 UTC] No.45676989[source]
Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.
replies(1): >>45678220 #
5. rpcope1 ◴[23 Oct 25 02:34 UTC] No.45677562{3}[source]
You'd think but I keep meeting even "experienced" technical leadership that have been at this for a while that there's no way to get around validation and security that's implemented in client code.
replies(1): >>45677748 #
6. cheschire ◴[23 Oct 25 03:02 UTC] No.45677748{4}[source]
I’ve used browser dev tools to regularly add additional drop down options to menus that weren’t present. Huel, for example, only offered 2 or 4 week subscriptions, so I added 3 weeks to it because that’s the frequency I needed, and it worked no problem. 3 weeks later my shakes arrived and every 3 weeks since.
replies(5): >>45677777 #>>45677902 #>>45678651 #>>45678780 #>>45679165 #
7. umanwizard ◴[23 Oct 25 03:09 UTC] No.45677777{5}[source]
That’s incredible
8. mulmen ◴[23 Oct 25 03:34 UTC] No.45677902{5}[source]
Did you try adjusting price?
replies(1): >>45679214 #
9. logicallee ◴[23 Oct 25 04:41 UTC] No.45678220{3}[source]
>Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.

I don't even call it data anymore. I call it datain't.

10. esseph ◴[23 Oct 25 06:03 UTC] No.45678651{5}[source]
I love this so much
11. codethief ◴[23 Oct 25 06:23 UTC] No.45678780{5}[source]
I did something similar on an airline website earlier this year: I wanted to change the date of my return flight and also make it an open jaw (i.e. leave from a different airport than where I had arrived). Changing my flights was included in my original fare, modulo the fare difference. Unfortunately, on their website the input text field for the airport I would be flying out from would get disabled a second or two into loading the "alternative flights search" page, and wouldn't allow me to make it an open jaw. So I fired up my browser dev tools and changed the value of the text field to the desired airport code. Suddenly, I was finding the flights I had been looking for – as it turns out, at no additional charge whatsoever.
12. jacquesm ◴[23 Oct 25 07:26 UTC] No.45679165{5}[source]
What's insane is that there are countries where this is considered hacking, even if all you do is change the URL.

somefile-small.jpg -> somefile.jpg

13. achairapart ◴[23 Oct 25 07:33 UTC] No.45679214{6}[source]
A kid in Hungary was arrested for exactly this (and it was a cheap bus ticket): https://www.bitdefender.com/en-us/blog/hotforsecurity/budape...