Most active commenters
  • jacquesm(4)
  • achairapart(3)
  • motorest(3)

←back to thread

Accessing Max Verstappen's passport and PII through FIA bugs

(ian.sh)
487 points galnagli | 16 comments | 22 Oct 25 18:21 UTC | HN request time: 0s | source | bottom
Show context
jacquesm ◴[22 Oct 25 20:48 UTC] No.45674947[source]
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hope you got at least free tickets for life out of this.

replies(1): >>45675356 #
awesome_dude ◴[22 Oct 25 21:25 UTC] No.45675356[source]
Rule 1.

NEVER trust user supplied data.

Once that rule was broken, any other rules broken became clear to everyone

replies(2): >>45676139 #>>45676989 #
jacquesm ◴[22 Oct 25 22:49 UTC] No.45676139{3}[source]
You'd think that client side security would be something that we'd gotten over by now.
replies(1): >>45677562 #
rpcope1 ◴[23 Oct 25 02:34 UTC] No.45677562{4}[source]
You'd think but I keep meeting even "experienced" technical leadership that have been at this for a while that there's no way to get around validation and security that's implemented in client code.
replies(1): >>45677748 #
cheschire ◴[23 Oct 25 03:02 UTC] No.45677748{5}[source]
I’ve used browser dev tools to regularly add additional drop down options to menus that weren’t present. Huel, for example, only offered 2 or 4 week subscriptions, so I added 3 weeks to it because that’s the frequency I needed, and it worked no problem. 3 weeks later my shakes arrived and every 3 weeks since.
replies(6): >>45677777 #>>45677902 #>>45678651 #>>45678780 #>>45679165 #>>45680139 #
mulmen ◴[23 Oct 25 03:34 UTC] No.45677902{6}[source]
Did you try adjusting price?
replies(2): >>45679214 #>>45680517 #
1. achairapart ◴[23 Oct 25 07:33 UTC] No.45679214{7}[source]
A kid in Hungary was arrested for exactly this (and it was a cheap bus ticket): https://www.bitdefender.com/en-us/blog/hotforsecurity/budape...
replies(1): >>45679458 #
2. umanwizard ◴[23 Oct 25 08:16 UTC] No.45679458[source]
It doesn’t seem crazy to me that someone should be arrested for that! It’s stealing. If someone came in my house and stole my property I’d expect them to be arrested, even if I had stupidly left the door wide open.
replies(4): >>45679731 #>>45679762 #>>45680020 #>>45680373 #
3. Nextgrid ◴[23 Oct 25 08:56 UTC] No.45679731[source]
According to the article the system was developed by a regional subsidiary of a German mobile telco, which already tells you everything you need to know about its quality, but on top of that it was rushed to launch in time for some sporting event and thus even less testing was done that would normally happen.

Here's a better article: https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-... - it seems like this was good faith security research (he disclosed the issue after testing it) and he couldn't use the transport pass he "stole" because he didn't even live in their service area anyway.

This arrest had nothing to do with stealing and all to do with putting well-connected, incompetent people in a very uncomfortable position.

4. jacquesm ◴[23 Oct 25 09:00 UTC] No.45679762[source]
Why are you on HN?

A kid showed up a bunch of big names. That's the equivalent of a kid walking into a bank and somehow making it into the vault, alerting security to the fact that it's possible without actually making off with all of the gold. That's on the bank, not on the kid. Nobody came into your house or stole your property. If they had the police likely wouldn't show up, nor would the case make the newspaper even if - hah, as if that happens - they made an arrest.

The only reason you are hearing about this is because someone at 'bigcorp' didn't want to accept responsibility for their fuckups, and so they used the law to come down on some kid which effectively did them a service, which costs society a large pile of money, further externalizing the cost of their fuckup.

replies(2): >>45679984 #>>45680235 #
5. motorest ◴[23 Oct 25 09:38 UTC] No.45679984{3}[source]
> A kid showed up a bunch of big names.

The kid purposely changed the price of a service to lower it to an insignificant fraction (reportedly from ~27£ to ~0.15£).

If that same kid went around a supermarket replacing price tags to lower the selling price, would you call it "showing up a bunch of big names"?

Say what you may about how broken and buggy the system was. Purposely misusing it for financial advantage is still a no-no.

replies(3): >>45680011 #>>45680026 #>>45680065 #
6. detaro ◴[23 Oct 25 09:41 UTC] No.45680011{4}[source]
Did the kid go around changing price tags, or did they just show that it was possible?
7. detaro ◴[23 Oct 25 09:43 UTC] No.45680020[source]
It's more that they walked by, saw your door open, popped their head in and then called for you to make sure you knew the door was open.
8. jacquesm ◴[23 Oct 25 09:44 UTC] No.45680026{4}[source]
How do you propose he would have been able to establish that this was indeed a vulnerability?
replies(1): >>45680304 #
9. achairapart ◴[23 Oct 25 09:50 UTC] No.45680065{4}[source]
Come on, a kid was just fooling around with the developer console and probably had a curiosity just like the comment above:

> Did you try adjusting price?

And he was punished for "hacking", not for stealing, and for indirectly putting to shame who was responsible for the epic fail.

replies(1): >>45680333 #
10. spockz ◴[23 Oct 25 10:14 UTC] No.45680235{3}[source]
How did the arrest go? For all you know it was the local cop that took him to the station and put him under arrest. Not to necessarily punish but to imprint that even though the action was minimally invasive for a simple bus ticket, it applied on larger systems, could have a significant effect. So more as a simple friendly deterrent rather than arrest and spent some nights in jail.
11. motorest ◴[23 Oct 25 10:32 UTC] No.45680304{5}[source]
> How do you propose he would have been able to establish that this was indeed a vulnerability?

I could comment extensively on the issue, as it is not as cut and dry as you imply. Instead, I'm going to link to the HM discussion from 2017 , as I think it is insightful and covers nuances.

https://news.ycombinator.com/item?id=14835515

12. motorest ◴[23 Oct 25 10:37 UTC] No.45680333{5}[source]
> Come on, a kid was just fooling around with the developer console and probably had a curiosity just like the comment above

You're failing to address the point. It is also trivial to switch price tags in supermarkets. If a kid rips off the tag of an expensive product, tacks on another price tag for pennies, and proceeds to pay the reported price at the checkout counter, is this something deemed acceptable or even classified as vulnerability research?

Make no mistake: the system was a shit show and all companies involved pulled some "sociopath mid-level manager saving his ass" moves. But the issue is nuanced.

replies(1): >>45680727 #
13. wqaatwt ◴[23 Oct 25 10:46 UTC] No.45680373[source]
No. It’s if you were selling something in your house for $10. Somebody came in, crossed out the number on the tag, wrote down $1 and handed you a bill.

Then you took their money and gave them the item without saying anything.

Would seem like a weird situation but I don’t see how its theft.

replies(1): >>45680438 #
14. LudwigNagasena ◴[23 Oct 25 10:59 UTC] No.45680438{3}[source]
I bet that would be most likely classified as shoplifting and/or fraud depending on jurisdiction.
replies(1): >>45680786 #
15. achairapart ◴[23 Oct 25 11:43 UTC] No.45680727{6}[source]
There was no personal profit. He bought a ticket he never used, just to show to people on twitter how bad the system was. He could have silently taken advantage of his discovery and travel at no cost for a long time peraphs. But no.

Sounds more like vulnerability reasearch than crime to me.

16. wqaatwt ◴[23 Oct 25 11:52 UTC] No.45680786{4}[source]
Or a form of negotiation if done in plain sight.