Accessing Max Verstappen's Passport and Pii Through Fia Bugs

Posted3 months agoActive2 months ago

galnagli

632 points

145 comments

ian.shTechstoryHigh profile

excitednegative

Debate

60/100

Bug BountySecurity VulnerabilityFia

Key topics

Bug Bounty

Security Vulnerability

Fia

The FIA's website was found to have multiple security vulnerabilities, exposing sensitive information of F1 drivers like Max Verstappen, and the discussion highlights the importance of proper security measures and responsible disclosure.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

Peak period

126

Day 1

Avg / period

Comment distribution135 data points

Loading chart...

Based on 135 loaded comments

Key moments

01Story posted
Oct 22, 2025 at 2:21 PM EDT
3 months ago
Step 01
02First comment
Oct 22, 2025 at 3:37 PM EDT
1h after posting
Step 02
03Peak activity
126 comments in Day 1
Hottest window of the conversation
Step 03
04Latest activity
Oct 31, 2025 at 11:30 AM EDT
2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (145 comments)

Showing 135 comments of 145

intheitmines

3 months ago

5 replies

Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?

forgotaccount22

3 months ago

1 reply

When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.

SirHumphrey

3 months ago

1 reply

This seems depressingly common in universities. I know of a case where someone discovered anyone with a university account (so students, etc.) can edit DNS, and the IT tried to file charges until the head of CS department intervened.

technothrasher

3 months ago

Many years ago when I was at school, I found a paper on a table in the computing library with a list of root passwords for some of the machines at Yale, just sitting there. I tried one and it was valid (this was the old days when remote root logins were a thing). I sent the admins a message telling them, and I was entirely ignored. A month later I tried the password again and it was still good. Luckily for me, I guess, it was before the days of suing people for trying to be helpful.

iancarroll

3 months ago

2 replies

Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.

gausswho

3 months ago

2 replies

Decline because it'd mean you were profiting off of a crime? Or that the opportunity of publishing has higher value than the bribe?

seb1204

3 months ago

Take the Money and have someone else publish it

LoganDark

3 months ago

Decline because the public deserves to know the company has that approach to security.

intheitmines

3 months ago

Thanks, its cool to hear attitudes have changed.

zozbot234

3 months ago

3 replies

The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.

bitexploder

3 months ago

1 reply

Without any sort of formally posted bug bounty program explicitly authorizing this sort of activity the CFAA prohibits unauthorized access of "protected computers". I would classify this as legally risky. If FIA had a stick up their ass they could definitely come after the researcher. The researcher's ethical standing is pretty clean in my book, but this was definitely a little more than just changing a URL parameter (only a little more). I would say this is unsafe to do if you are in the united states. The stopping point was somewhere around "I think I could provide the admin role" and reaching out to the best contact you can find and say "Hey, I am an ethical white hat security researcher and I noticed X and Y and in my experience when I see this there is a pretty reasonable chance this privilege escalation vulnerability exists. The chance it exists is high enough in my experience that you should treat it like it exists and examine your authorization code. If you would like I can validate this on my end as well if you give me permission to examine this issue. I am an ethical security researcher" ---> point over to your website and disclosed issues if you got em. To just do it is ehh... I would not take the risk. However if I /did/ do it I would definitely disclose it to them immediately and give an explanation like the above. Shooting the messenger in this case would be pretty asinine, especially if they didn't access anything sensitive, that would preclude FIA from having any evidence you did anything sketchy (cause you did not). The reason I would not do it is because you never know if a system like this pre-fetches data, etc. and that is definitely opening you up to liability of possessing PII etc. Overall, I have disclosed issues like this in the past without actually exploiting the issue to good results. Some times companies ignore it. You can always say "If you do not want to treat this issue as a vulnerability I am going to write this up on my website as an example of things you should probably not do" if you feel ethically compelled to force them to change without actually exploiting the issue. People tend to get the message and do something.

squigz

3 months ago

I'd highly recommend adding some newlines to such comments. Walls of text are not fun to read.

trollbridge

3 months ago

1 reply

... so you'd prefer that the only people doing this will be black-hat hackers who then sell the information on the black market?

array_key_first

2 months ago

I think nobody does, but ultimately our laws are stupid. The CFAA in particular can be unfairly weaponized to make examples, and can put people in prison for DECADES for activities that don't warrant such a response.

iancarroll

3 months ago

Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.

[0] https://www.justice.gov/archives/opa/pr/department-justice-a...

Nextgrid

3 months ago

1 reply

What he did there could indeed be legally risky.

Remember that while for a lot of us this kind of security research & remediation is “fun”, “the right thing to do”, etc there are also people in our industry that are completely incompetent, don’t care about the quality of their work or whether it puts anyone at risk. They lucked their way into their position and are now moving up the ranks.

To such a person, your little “security research” adventure is the difference between a great day pretending to look busy and a terrible day actually being busy explaining themselves to higher ups (and potentially regulators) and get a bunch of unplanned work to rectify the issue (while they don’t care personally whether the site is vulnerable - otherwise they wouldn’t have let such a basic vulnerability slip through - now that there is a paper trail they have to act). They absolutely have a reason and incentive to blame you and attempt legal action to distract everyone from their incompetence.

The only way to be safe against such retaliation is to operate anonymously like an actual attacker. You can always reveal your identity later if you desire, but it gives you an effectively bulletproof shield for cases where you do get a hostile response.

aleph_minus_one

3 months ago

> while they don’t care personally whether the site is vulnerable - otherwise they wouldn’t have let such a basic vulnerability slip through

Even if they do care personally (which I would assume is often the case if the respect person is not an ignorant careerist), they often don't have the

- organizational power

- (office-)political backing

- necessary very qualified workforce

to be capable of deeply analyzing every line of code that gets deployed. :-(

Kaibu

3 months ago

2 replies

In Germany, the case of a company called "Modern Solution" has gained quite a bit of traction. An IT guy found a password, tried it on the company's phpmyadmin and reported that he could access their data. They sued him and the case went up to the highest German court, which acknowledged the lower court's decision to rule with the company. The IT guy got fined.

https://www.heise.de/news/Bundesverfassungsgericht-lehnt-Bes... (German article)

anal_reactor

3 months ago

1 reply

Lesson: instead of being the good guy and reporting shit, just sell it on black market.

2rsf

3 months ago

4 replies

(playing the devil's advocate here) But that's not the case- if you find someone's physical keys in the street, will try to open the neighbor's door with it? so why is it ok to use a password that you "found" to log into a site?

abustamam

3 months ago

1 reply

Curiosity. I once dropped my keys on the way to my leasing office. I searched the entire complex and office for my keys. Then I saw a guy at the mailboxes trying to open each one, one by one.* I asked if he needed help and he just said he found some keys on the ground and wanted to find out who they belonged to. They were mine. And my mailbox was in the other side of the complex so all bets were off for him anyway.

It costs next to nothing to try out a key in multiple places in the same proximity. Once you start going door to door using a random key you found, that's suspicious.

*it occurs to me now that I write this that this behavior is suspicious as well and probably illegal. He should have turned it into the leasing office.

mmmlinux

3 months ago

1 reply

that actually maybe super illegal if they are usps mailboxes.

abustamam

3 months ago

1 reply

They... Probably are? They were my complexs mailboxes but only usps has access to them.

garyfirestorm

3 months ago

Instructions unclear - any key I find now onwards I’ll mail it to this guys leasing office.

dylan604

3 months ago

1 reply

If I don't try the keys in my neighbor's door, how will I know which neighbor they belong?

2rsf

3 months ago

It's even worse, you find a key that you know belonged to your neighbor so you try it out just in case in his door.

somehnguy

3 months ago

I don't think the common analogy of "key to a house" makes any sense. For starters, a significant portion of people in existence aren't trying to break into your house 24/7.

anal_reactor

3 months ago

No, it's different. I would compare it to my neighbor using a padlock with code combination. It takes 15 minutes to brute-force that. If I tell my neighbor that his padlock is shit and in response he sues me to oblivion, next time I'll just tell local thugs "hey here's the padlock, here's the code, do what you must", zero regrets, if the asshole insists on being an asshole just for the shits and giggles then so will I.

aleph_minus_one

3 months ago

Some additional relevant information:

When the changes that toughened the § 202 StGB were made in 2007, there were a lot of public rallies against it in which many programmers participated. These were ignored by the politicians in power. This (together with other worrying political events) even lead to a temporary upcoming of a new party (Piratenpartei) in Germany.

The fact that these rallies were ignored by the politicians in power lead to the situation that from then on by many programmers the German politicians got considered to be about as trustworthy as child molesters who have relapsed several times.

luxuryballs

3 months ago

2 replies

well at least it was a password hash :D

dmitrygr

3 months ago

1 reply

Don't get too excited. They never said what kind of hash. Given the rest of the site's security design, might have easily been unsalted md5

auxiliarymoose

3 months ago

1 reply

Or maybe rot26 — I've heard it's twice as secure as rot13!

mulmen

3 months ago

1 reply

It’s 2025, you should at least be on rot52.

Best practice guide: https://github.com/killerk3emstar/rot52

auxiliarymoose

3 months ago

Ah, thanks! Hard to keep up with this stuff. Next thing you know the boffins will tell us we need to switch to rot104 or even rot208 because of "post-quantum cryptography" or something.

Group_B

3 months ago

There's probably another rockyou out there waiting to happen

GEBBL

3 months ago

2 replies

Strange, the site is run by an Ian Carroll, but the examples show Sam Curry, who is a very famous bug bounty hunter.

captnasia

3 months ago

if you look at his other posts, it looks like they collaborate often.

gregschlom

3 months ago

From the post:

"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."

cathalc

3 months ago

2 replies

That is shamefully poor security.

gnerd00

3 months ago

wait until you see the party footage

daemonologist

3 months ago

It's hard to even call it security - it was just wide open...

I will say though, this kind of thing does wonders for my imposter syndrome.

whatever1

3 months ago

5 replies

Just use a framework to build your site. Don’t reinvent the wheel!

ChaseRensberger

3 months ago

5 replies

i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.

AnimalMuppet

3 months ago

1 reply

It can. But it can be very bad at producing wheels that don't break.

adamtaylor_13

3 months ago

Not if you understand how the wheel works. That's the whole point.

catoc

3 months ago

1 reply

Reinventing the wheel for Formula 1 driving…

dmoy

3 months ago

Depending on the wheel, maybe. Nowadays it's more standardized - same rims for example. The tires are standardized.

There's a lot less freedom in reinventing the wheel in formula 1 nowadays

https://www.formula1-dictionary.net/wheels.html

The steering wheel of course isn't even a wheel anymore, for a long time. It's some video game console / airplane cockpit looking monstrosity.

atonse

3 months ago

Great to reinvent the wheel for your mom and pop blog, or to teach yourself these concepts and try to break in. But not for authn and authz for something official like this.

samarthr1

3 months ago

I funnily just read a whole Twitter thread that had this same thesis, not 45 minutes ago... What a small world

jonplackett

3 months ago

But maybe do that on a smaller scale personal project?

motorest

3 months ago

1 reply

> Just use a framework to build your site. Don’t reinvent the wheel!

How do you arrive at that conclusion after reading an article on how an API had a broken access control vulnerability?

renewiltord

3 months ago

He’s being sarcastic and suggesting using some out of the box rbac thing.

zikani_03

3 months ago

Mass assignment problems sometimes also come from (improper?) use of frameworks. This goes beyond frameworks and more about how thorough the testing and review of how the user account modification and access control is done.

maxbond

3 months ago

There are some vulnerabilities frameworks can address wholesale (like CSRF or XSS) as long as you keep to the blessed way of doing things, but they aren't able to save you from a complete failure to build authorization into your API. Like how seatbelts save lives but can't stop you from accelerating directly into a pole if you choose to do so.

homakov

3 months ago

Github used a framework tho.

forgotaccount22

3 months ago

2 replies

Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.

veqq

3 months ago

3 replies

What hash do you use?

scq

3 months ago

1 reply

bcrypt is the industry standard.

maxbond

3 months ago

1 reply

`bcrypt` is probably the "standard" in the sense that it has the widest adoption, but since 2015 [1] the "standard" in terms of what you should recommend for new work has been `argon2id` (and you can find parameter recommendations here [2]).

[1] https://en.wikipedia.org/wiki/Password_Hashing_Competition

[2] https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...

tom1337

3 months ago

Also argon doesn't care about input length compared to bcrypt which only ever compares the first 72 bytes of a hash. Okta actually fell victim to this because they concatenated userid + username + password. If userid + password were over 72 bytes then the password would never be checked thus you could login with userid + username.

https://trust.okta.com/security-advisories/okta-ad-ldap-dele...

megous

3 months ago

yescrypt is very common these days, default in Debian

blitzar

3 months ago

im 1337 - I use plain text stored in a public s3 bucket

zozbot234

3 months ago

2 replies

It's an F1 racing site, their job is literally to move fast and break things. https://xkcd.com/1428/

olyjohn

3 months ago

2 replies

You break things in F1, you lose. Reliability and consistency is key.

zigman1

3 months ago

It seems like this, but it actually not true. What's interesting in F1 is that you have to find the right balance between innovation and consistency.

James Vowles, current Williams TP ordered his team to "break everything" in order to improve and change: https://youtu.be/nYzwvTSffiY?t=3129

What is often forgotten is, that all F1 cars are prototypes, they NEED to constantly change and innovate, and every year it starts from the beginning (almost).

There is a fantastic book called Total Competition, which is a conversation between two ex-team principles, one of them Ross Brawn, probably most successful F1 engineer. In it, Brawn says: "But where I think Formula One is very strong is in the culture. If you wanted to develop a concept and to drive things forward at maximum pace, utilize it in Formula One. The composite companies love Formula One because we are willing to try things. If they’ve got a new resin system or a new type of fibre, they give it to the Formula One teams to explore for them, to look at the applications and come back with the feedback. If they put it in the aerospace industry, five years later they would have an answer. Put it into Formula One and five months later they have got an answer"

alt227

3 months ago

Apart from the many many times where a teams R&D department has come up with a radical new idea for a machine part which gives them an advantage, and then all the other teams copy it making it the new standard. This is how F1 has evolved forever, by taking risks and experimenting. Not by reliability and consistency!

mikey_p

3 months ago

No, this is the FIA[1], not Formula 1. They are very very different organizations.

[1] https://en.wikipedia.org/wiki/F%C3%A9d%C3%A9ration_Internati... https://en.wikipedia.org/wiki/Formula_One_Group

LorenDB

3 months ago

2 replies

Ian, it would be great to see an RSS feed on your website if you want to gain another regular reader :)

heavyset_go

3 months ago

Seconding this

galnagliAuthor

3 months ago

Ian is a great writer

jacquesm

3 months ago

1 reply

That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hope you got at least free tickets for life out of this.

skeezyjefferson

3 months ago

5 replies

> For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hate this kind of post-hoc finger pointing people do after security breaches. There are other concerns in life beyond security - youre naive to think differently. Is your house secure or could somebody break past your protections? Have you harmed your defensive posture with negligence of security? Do you even care?

sebasvisser

3 months ago

1 reply

Sure, hate on the person pointing at the fire instead of the people holding the matches.

If you aren’t prepared to face criticism after a failure, you shouldn’t participate in a professional environment. Without people pointing out where it went wrong you’ll never j ow what to improve upon. Because if you knew, and chose not to act..now that would be a whole new level of incompetence.

skeezyjefferson

2 months ago

1 reply

it would be like every time a business gets broken into you berate them for their lack of physical security. nobody does it because that would be inane, and what you are doing is a straight analog to it

anonymous908213

2 months ago

If a bank holding your money gets broken into, everything is stolen, and the bank tells you your money is gone and you're not getting it back, do you think it would be within your rights to berate them or is that too mean? Because that's what the actual analogy here is. You're allowed to be lax with your security when you're the only victim of your negligence. When your lack of security causes other people to suffer harm, of course those people are going to have an issue.

zalusio

3 months ago

Security has to be the #1 priority in computing, unlike your house which probably doesn't need to be fortified like a prison. The reason is that unlike your house, a computer system is exposed to 8 billion people at all times, and maybe 7 billion of them will face no consequences if they break in and steal your stuff.

jacquesm

3 months ago

I get told at least a couple of times every month that security and business continuity are a complete waste of time for your average company. So this isn't post-hoc, it is more like 'the dumb fucks don't even practice the basics and they could - and should - have known better'.

zamadatix

3 months ago

I hope you never handle other people's PII with that attitude. It should well and beyond be treated more securely by a company collecting it than some random person's house or individual set up, there are laws about this.

margalabargala

3 months ago

That's what you choose for yourself.

How do you feel if that's also what your bank chooses for you?

awesome_dude

3 months ago

3 replies

Rule 1.

NEVER trust user supplied data.

Once that rule was broken, any other rules broken became clear to everyone

jacquesm

3 months ago

2 replies

You'd think that client side security would be something that we'd gotten over by now.

rpcope1

3 months ago

1 reply

You'd think but I keep meeting even "experienced" technical leadership that have been at this for a while that there's no way to get around validation and security that's implemented in client code.

cheschire

3 months ago

7 replies

I’ve used browser dev tools to regularly add additional drop down options to menus that weren’t present. Huel, for example, only offered 2 or 4 week subscriptions, so I added 3 weeks to it because that’s the frequency I needed, and it worked no problem. 3 weeks later my shakes arrived and every 3 weeks since.

mulmen

3 months ago

3 replies

Did you try adjusting price?

achairapart

3 months ago

1 reply

A kid in Hungary was arrested for exactly this (and it was a cheap bus ticket): https://www.bitdefender.com/en-us/blog/hotforsecurity/budape...

umanwizard

3 months ago

4 replies

It doesn’t seem crazy to me that someone should be arrested for that! It’s stealing. If someone came in my house and stole my property I’d expect them to be arrested, even if I had stupidly left the door wide open.

jacquesm

3 months ago

3 replies

Why are you on HN?

A kid showed up a bunch of big names. That's the equivalent of a kid walking into a bank and somehow making it into the vault, alerting security to the fact that it's possible without actually making off with all of the gold. That's on the bank, not on the kid. Nobody came into your house or stole your property. If they had the police likely wouldn't show up, nor would the case make the newspaper even if - hah, as if that happens - they made an arrest.

The only reason you are hearing about this is because someone at 'bigcorp' didn't want to accept responsibility for their fuckups, and so they used the law to come down on some kid which effectively did them a service, which costs society a large pile of money, further externalizing the cost of their fuckup.

motorest

3 months ago

4 replies

> A kid showed up a bunch of big names.

The kid purposely changed the price of a service to lower it to an insignificant fraction (reportedly from ~27£ to ~0.15£).

If that same kid went around a supermarket replacing price tags to lower the selling price, would you call it "showing up a bunch of big names"?

Say what you may about how broken and buggy the system was. Purposely misusing it for financial advantage is still a no-no.

jacquesm

3 months ago

How do you propose he would have been able to establish that this was indeed a vulnerability?

achairapart

3 months ago

Come on, a kid was just fooling around with the developer console and probably had a curiosity just like the comment above:

> Did you try adjusting price?

And he was punished for "hacking", not for stealing, and for indirectly putting to shame who was responsible for the epic fail.

daseiner1

3 months ago

if the kid could successfully modify the scanned value of physical barcodes a) that would be quite the feat and b) that would absolutely be showing up a bunch of big names

detaro

3 months ago

Did the kid go around changing price tags, or did they just show that it was possible?

spockz

3 months ago

1 reply

How did the arrest go? For all you know it was the local cop that took him to the station and put him under arrest. Not to necessarily punish but to imprint that even though the action was minimally invasive for a simple bus ticket, it applied on larger systems, could have a significant effect. So more as a simple friendly deterrent rather than arrest and spent some nights in jail.

abustamam

3 months ago

I don't think you can call any sort of arrest a simple friendly deterrent, or intended not to punish. That shit's traumatizing. Should he have done that? Probably not. But did he deserve arrest for finding a vulnerability? This could have been a conversation that didn't involve police. The kid could have helped them improve their systems instead of spending taxpayer dollars to send cops to the kid to arrest him.

umanwizard

3 months ago

> without actually making off with all of the gold

This is the key difference. The comment I was replying to implied that the transaction was actually completed, or at least I thought it did.

If the guy[0] didn't indeed actually benefit from the vulnerability then that is a very different story, and I don't think he should be arrested in that case.

0: not "kid" -- he is 18 which I assume is above the age of criminal responsibility in Hungary.

wqaatwt

3 months ago

1 reply

No. It’s if you were selling something in your house for $10. Somebody came in, crossed out the number on the tag, wrote down $1 and handed you a bill.

Then you took their money and gave them the item without saying anything.

Would seem like a weird situation but I don’t see how its theft.

LudwigNagasena

3 months ago

1 reply

I bet that would be most likely classified as shoplifting and/or fraud depending on jurisdiction.

wqaatwt

3 months ago

Or a form of negotiation if done in plain sight.

Nextgrid

3 months ago

According to the article the system was developed by a regional subsidiary of a German mobile telco, which already tells you everything you need to know about its quality, but on top of that it was rushed to launch in time for some sporting event and thus even less testing was done that would normally happen.

Here's a better article: https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-... - it seems like this was good faith security research (he disclosed the issue after testing it) and he couldn't use the transport pass he "stole" because he didn't even live in their service area anyway.

This arrest had nothing to do with stealing and all to do with putting well-connected, incompetent people in a very uncomfortable position.

detaro

3 months ago

It's more that they walked by, saw your door open, popped their head in and then called for you to make sure you knew the door was open.

cheschire

3 months ago

1 reply

I am not malicious or willing to attempt theft. Academically though, in an official testing environment, that would be entertaining to attempt.

mulmen

3 months ago

Yeah I’m not suggesting that you adjust the price, just curious if they were passing price through the client as well.

Zekio

3 months ago

you can do this on surprisingly many websites, where they include the price in the url they redirect you to, when going to the payment provider, and even then often it is only protected by an md5 hash if it is verified

jacquesm

3 months ago

1 reply

What's insane is that there are countries where this is considered hacking, even if all you do is change the URL.

somefile-small.jpg -> somefile.jpg

abustamam

3 months ago

Black hat hacking or white hat hacking? Genuinely curious because a lot of these security write-ups can't happen without "hacking." which may explain why we don't get these security write-ups from folks in those countries.

anal_reactor

3 months ago

3 replies

My insurance company has different frontend password regex on registration page and on login page. My password passed the registration regex but fails the login regex. In order to log in, I need to manually remove the frontend-side password regex check.

ewoodrich

3 months ago

1 reply

Variant of this I've hit is the phone number validation rules at signup differs from the actual API call to send 2FA texts (or was changed between the time of original signup and login attempt) so I create an account successfully with a Google Voice number and then when I actually need to receive 2FA the message goes into the aether with no error surfaced at any point.

codethief

2 months ago

> Variant of this I've hit is the phone number validation rules at signup differs from the actual API call to send 2FA texts

Yeah, this is incredibly annoying, though to be fair, this can be a hard problem to solve. 3rd-party systems often don't tell you what their exact phone number validation rules are or silently update them, and then, to top it off, don't throw errors when validation fails. And more often than not, the 3rd-party system's developers also must have never heard of the Falsehoods programmers believe about phone numbers[0].

Source: I was responsible for adjusting phone number validation for a major ecommerce site in the past.

[0]: https://chromium.googlesource.com/external/libphonenumber/+/...

encom

3 months ago

Ever since I started using a password manager (a long time ago), I have encountered SO MANY password bugs. But one of the most frustrating issues, is when a website asks you to create a password, but does not tell you what length or characters are accepted. So you have to dumb down Keepass incrementally until it passes. A tedious game.

If your software doesn't accept this password, please change career immediately:

ú¨<¹7®fÍå0Á1n:1}Àº»ê:t]íw´¾ã\B²¸Æþ®M3_ø>$¼ÿa÷mH¦ñ%?6ñE$l#DhqI£«{'Ø"V^c4u

abustamam

3 months ago

This absolutely boggles my mind. My last insurance company let me create a 20 character PW but limited the password field on the login screen to 16 chars. I didn't think to futz around with the code so I just recreated a less secure password. I suspect many other less technical people either did that too or just called support.

There is zero excuse for that though. 16 chars is just way too short for a proper secure pass phrase, but at least make it consistent with password creation!

esseph

3 months ago

I love this so much

sgarland

3 months ago

Somewhere, there is a table with a `frequency` column, storing client-supplied values, and an application happily accepting them as-is.

This is why you normalize your tables and use FK Constraints - you aren’t going to catch all the edge cases in code. Let the DB be the final arbiter of validity, because it’s been tested to hell and back.

Re: Huel, that’s pretty smart. My rate of consumption is fairly consistent (usually 1x/day on weekdays), but occasionally I’ll have one on the weekend, so the given cadences worked for me. I do 2x 12-pack / 4 weeks to hit the free shipping tier.

umanwizard

3 months ago

That’s incredible

codethief

3 months ago

I did something similar on an airline website earlier this year: I wanted to change the date of my return flight and also make it an open jaw (i.e. leave from a different airport than where I had arrived). Changing my flights was included in my original fare, modulo the fare difference. Unfortunately, on their website the input text field for the airport I would be flying out from would get disabled a second or two into loading the "alternative flights search" page, and wouldn't allow me to make it an open jaw. So I fired up my browser dev tools and changed the value of the text field to the desired airport code. Suddenly, I was finding the flights I had been looking for – as it turns out, at no additional charge whatsoever.

hulitu

3 months ago

> You'd think that client side security would be something that we'd gotten over by now.

Well, we have passkeys. /s

nradov

3 months ago

1 reply

Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.

logicallee

3 months ago

>Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.

I don't even call it data anymore. I call it datain't.

coldpie

3 months ago

1 reply

Rule 0: Any networked computer should be considered semi-public. Don't store any information you do not want to be public, or give access to controls that you do not want to be publicly accessible, on a networked computer. There are simply too many vulnerabilities to assume otherwise.

normie3000

3 months ago

1 reply

I doubt there are many people in rich countries that follow this rule, given that smartphones are networked computers and people don't want their personal photos to he publicly accessible.

coldpie

3 months ago

> I doubt there are many people in rich countries that follow this rule

I agree, there definitely are many people who don't follow the rule! And so we get things like this, https://en.wikipedia.org/wiki/2014_celebrity_nude_photo_leak

paddleon

3 months ago

1 reply

missed opportunity to grant the authors a F1 super license and get the chance to actually drive one of the cars!

stingrae

3 months ago

If only that's all it takes

CSDude

3 months ago

1 reply

Imagine being a world class F1 driver and (someone) still have to upload your CV somewhere.

ddalex

3 months ago

a couple of weeks ago Verstappen raced in a "Advanced-amateur" competition in Germany - he had to be "trained" by an official instructor in a restricted car because he hadn't raced there before

I imagine the instructor "What could I teach Verstappen now..."

Aeolun

3 months ago

1 reply

They took the website offline on the same day it was reported! That’s amazing!

ehnto

3 months ago

1 reply

Yeah I thought that was good. The fix wasn't that long either given how fast enterprises like this usually operate.

Jeremy1026

3 months ago

I wonder how much the FIA being European affected the response. Would they have been as quick to react if they were American and knew they'd only be facing a relatively small class-action settlement?

olliebrkr

3 months ago

1 reply

HAX HAX HAX SUPERHAX HAX HAX (sorry)

timpattinson

3 months ago

du du du du..... hax verstappen

encom

3 months ago

Missed opportunity to delete Lance Stroll's license.

yieldcrv

3 months ago

responsible disclosure made you no money and even after that blogpost you still have to take the l33tcode interview

t1234s

3 months ago

Is this a case where the back end has no whitelisting of what fields are allowed to be written to for that specific endpoint?

Briannaj

3 months ago

my favorite type of hacking. reading the js an modifying the PUT. Works a lot more often than you expect.

braza

3 months ago

In 2025 I think most of the PII is just a legal liability for 99% of the cases.

I once saw a custom service where you could connect your data, like Mixpanel or some analytics, and the whole motto was that this service did not want any of your PII data, and even the employees and companies that could access all the anonymous data had pseudonyms (e.g., a company named "Ocean's Eleven" with the employees Billy, Reuben, Rusty, Benedict, Linus, Basher, and so on).

Does someone know any architectures or designs of applications (books or references) that take anonymity as default?

homakov

3 months ago

>The JSON HTTP response for updating our own profile contained the "roles" parameter, something that might allow us to escalate privileges if the PUT request was vulnerable to mass assignment. We began looking through the JavaScript for any logic related to this parameter.

Oh, here we go again. JavaScript brings mass assignment back. My efforts went in vein. Strong params, pls!

10 more comments available on Hacker News

View full discussion on Hacker News

ID: 45673130Type: storyLast synced: 11/22/2025, 11:47:55 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN