←back to thread

Accessing Max Verstappen's passport and PII through FIA bugs

(ian.sh)
605 points galnagli | 1 comments | 22 Oct 25 18:21 UTC | HN request time: 0.001s | source
Show context
awesome_dude ◴[22 Oct 25 21:25 UTC] No.45675356[source]
Rule 1.

NEVER trust user supplied data.

Once that rule was broken, any other rules broken became clear to everyone

replies(3): >>45676139 #>>45676989 #>>45681943 #
jacquesm ◴[22 Oct 25 22:49 UTC] No.45676139[source]
You'd think that client side security would be something that we'd gotten over by now.
replies(2): >>45677562 #>>45683834 #
rpcope1 ◴[23 Oct 25 02:34 UTC] No.45677562{3}[source]
You'd think but I keep meeting even "experienced" technical leadership that have been at this for a while that there's no way to get around validation and security that's implemented in client code.
replies(1): >>45677748 #
cheschire ◴[23 Oct 25 03:02 UTC] No.45677748{4}[source]
I’ve used browser dev tools to regularly add additional drop down options to menus that weren’t present. Huel, for example, only offered 2 or 4 week subscriptions, so I added 3 weeks to it because that’s the frequency I needed, and it worked no problem. 3 weeks later my shakes arrived and every 3 weeks since.
replies(7): >>45677777 #>>45677902 #>>45678651 #>>45678780 #>>45679165 #>>45680139 #>>45681137 #
mulmen ◴[23 Oct 25 03:34 UTC] No.45677902{5}[source]
Did you try adjusting price?
replies(3): >>45679214 #>>45680517 #>>45681477 #
achairapart ◴[23 Oct 25 07:33 UTC] No.45679214{6}[source]
A kid in Hungary was arrested for exactly this (and it was a cheap bus ticket): https://www.bitdefender.com/en-us/blog/hotforsecurity/budape...
replies(1): >>45679458 #
umanwizard ◴[23 Oct 25 08:16 UTC] No.45679458{7}[source]
It doesn’t seem crazy to me that someone should be arrested for that! It’s stealing. If someone came in my house and stole my property I’d expect them to be arrested, even if I had stupidly left the door wide open.
replies(4): >>45679731 #>>45679762 #>>45680020 #>>45680373 #
jacquesm ◴[23 Oct 25 09:00 UTC] No.45679762{8}[source]
Why are you on HN?

A kid showed up a bunch of big names. That's the equivalent of a kid walking into a bank and somehow making it into the vault, alerting security to the fact that it's possible without actually making off with all of the gold. That's on the bank, not on the kid. Nobody came into your house or stole your property. If they had the police likely wouldn't show up, nor would the case make the newspaper even if - hah, as if that happens - they made an arrest.

The only reason you are hearing about this is because someone at 'bigcorp' didn't want to accept responsibility for their fuckups, and so they used the law to come down on some kid which effectively did them a service, which costs society a large pile of money, further externalizing the cost of their fuckup.

replies(3): >>45679984 #>>45680235 #>>45684990 #
motorest ◴[23 Oct 25 09:38 UTC] No.45679984{9}[source]
> A kid showed up a bunch of big names.

The kid purposely changed the price of a service to lower it to an insignificant fraction (reportedly from ~27£ to ~0.15£).

If that same kid went around a supermarket replacing price tags to lower the selling price, would you call it "showing up a bunch of big names"?

Say what you may about how broken and buggy the system was. Purposely misusing it for financial advantage is still a no-no.

replies(4): >>45680011 #>>45680026 #>>45680065 #>>45681932 #
daseiner1 ◴[23 Oct 25 14:02 UTC] No.45681932{10}[source]
if the kid could successfully modify the scanned value of physical barcodes a) that would be quite the feat and b) that would absolutely be showing up a bunch of big names
replies(2): >>45682247 #>>45683334 #
1. rafram ◴[23 Oct 25 14:31 UTC] No.45682247{11}[source]
It wouldn't be quite the feat at all. Barcodes for pre-priced items sold by weight (cheese, meat, etc.) encode the price in the last four digits. Replacing those would be trivial.