←back to thread

Accessing Max Verstappen's passport and PII through FIA bugs

(ian.sh)
482 points galnagli | 1 comments | 22 Oct 25 18:21 UTC | HN request time: 0.198s | source
Show context
jacquesm ◴[22 Oct 25 20:48 UTC] No.45674947[source]
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hope you got at least free tickets for life out of this.

replies(1): >>45675356 #
awesome_dude ◴[22 Oct 25 21:25 UTC] No.45675356[source]
Rule 1.

NEVER trust user supplied data.

Once that rule was broken, any other rules broken became clear to everyone

replies(2): >>45676139 #>>45676989 #
nradov ◴[23 Oct 25 00:51 UTC] No.45676989[source]
Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.
replies(1): >>45678220 #
1. logicallee ◴[23 Oct 25 04:41 UTC] No.45678220[source]
>Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.

I don't even call it data anymore. I call it datain't.