Accessing Max Verstappen's passport and PII through FIA bugs

(ian.sh)

569 points galnagli | 1 comments | 22 Oct 25 18:21 UTC | HN request time: 0.001s | source

Show context

awesome_dude ◴[22 Oct 25 21:25 UTC] No.45675356[source]▶

>>45673130 (OP) #

Rule 1.

NEVER trust user supplied data.

Once that rule was broken, any other rules broken became clear to everyone

replies(3): >>45676139 #>>45676989 #>>45681943 #

jacquesm ◴[22 Oct 25 22:49 UTC] No.45676139[source]▶

>>45675356 #

You'd think that client side security would be something that we'd gotten over by now.

replies(2): >>45677562 #>>45683834 #

rpcope1 ◴[23 Oct 25 02:34 UTC] No.45677562[source]▶

>>45676139 #

You'd think but I keep meeting even "experienced" technical leadership that have been at this for a while that there's no way to get around validation and security that's implemented in client code.

replies(1): >>45677748 #

cheschire ◴[23 Oct 25 03:02 UTC] No.45677748[source]▶

>>45677562 #

I’ve used browser dev tools to regularly add additional drop down options to menus that weren’t present. Huel, for example, only offered 2 or 4 week subscriptions, so I added 3 weeks to it because that’s the frequency I needed, and it worked no problem. 3 weeks later my shakes arrived and every 3 weeks since.

replies(7): >>45677777 #>>45677902 #>>45678651 #>>45678780 #>>45679165 #>>45680139 #>>45681137 #

mulmen ◴[23 Oct 25 03:34 UTC] No.45677902[source]▶

>>45677748 #

Did you try adjusting price?

replies(3): >>45679214 #>>45680517 #>>45681477 #

achairapart ◴[23 Oct 25 07:33 UTC] No.45679214[source]▶

>>45677902 #

A kid in Hungary was arrested for exactly this (and it was a cheap bus ticket): https://www.bitdefender.com/en-us/blog/hotforsecurity/budape...

replies(1): >>45679458 #

umanwizard ◴[23 Oct 25 08:16 UTC] No.45679458[source]▶

>>45679214 #

It doesn’t seem crazy to me that someone should be arrested for that! It’s stealing. If someone came in my house and stole my property I’d expect them to be arrested, even if I had stupidly left the door wide open.

replies(4): >>45679731 #>>45679762 #>>45680020 #>>45680373 #

1. Nextgrid ◴[23 Oct 25 08:56 UTC] No.45679731[source]▶

>>45679458 #

According to the article the system was developed by a regional subsidiary of a German mobile telco, which already tells you everything you need to know about its quality, but on top of that it was rushed to launch in time for some sporting event and thus even less testing was done that would normally happen.

Here's a better article: https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-... - it seems like this was good faith security research (he disclosed the issue after testing it) and he couldn't use the transport pass he "stole" because he didn't even live in their service area anyway.

This arrest had nothing to do with stealing and all to do with putting well-connected, incompetent people in a very uncomfortable position.

↑