In a concerning discovery, researchers have uncovered critical vulnerabilities in the FIA’s (Fédération Internationale de l’Automobile) driver categorisation system, drivercategorisation.fia.com, which allowed them to gain unauthorised access to sensitive information belonging to Formula 1 drivers, including their passports, resumes, licenses, and personal details.
The researchers, Ian Carroll, Sam Curry, and Gal Nagli, found that the system’s user profile update functionality was vulnerable to a privilege escalation attack, enabling them to easily elevate their account privileges to the administrator role. This granted them full access to the FIA’s internal dashboard, where they were able to view and download the personal and confidential information of various F1 drivers, including the current champion, Max Verstappen.
The researchers responsibly disclosed their findings to the FIA in early June 2025, and the organisation promptly took the website offline to address the vulnerabilities. In their official response, the FIA confirmed that a comprehensive fix had been implemented, and they expressed gratitude to the researchers for their responsible disclosure and assistance in strengthening the security of the system.
This incident serves as a reminder of the importance of robust cybersecurity measures, especially in high-profile organisations and sporting events that handle sensitive data. As the world of motorsports continues to integrate digital technologies, it is crucial that governing bodies like the FIA prioritise the protection of their systems and the privacy of their participants. This vulnerability disclosure underscores the need for continuous security assessments and the implementation of best practices to mitigate the risks posed by emerging threats.