That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hope you got at least free tickets for life out of this.
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
`bcrypt` is probably the "standard" in the sense that it has the widest adoption, but since 2015 [1] the "standard" in terms of what you should recommend for new work has been `argon2id` (and you can find parameter recommendations here [2]).
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.
Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.
I was blown away while traveling to Europe that -for- GDPR purposes, the property manager of the place we were renting required the passport info of everyone that was staying on the property.
In order to "ensure our information was being handled properly," we needed to hand it over via email, in a shoddy PDF form.
Whatever the intent was of consumer data protection, it has already profoundly been weaponized (at worst), and turned into leaky surface area (at best).
Many countries in Europe require you to register with the local police any visitors you are hosting and pay a visitor's tax: this is why hotels would ask for the same documents too.
GDPR should help ensure they only keep the passport data until they complete the registration, and then remove it after some time or at your request.
They may have said that process was related to GDPR, but that was either a lie or someone with so little understanding for basic laws that I wonder about their capability to conduct business at all.
Everything about this is prohibited and discouraged under GDPR.
"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hope you got at least free tickets for life out of this.
Rule 1.
NEVER trust user supplied data.
Once that rule was broken, any other rules broken became clear to everyone
Ian, it would be great to see an RSS feed on your website if you want to gain another regular reader :)
Seconding this
Ian is a great writer
That is shamefully poor security.
wait until you see the party footage
missed opportunity to grant the authors a F1 super license and get the chance to actually drive one of the cars!
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
What hash do you use?
bcrypt is the industry standard.
`bcrypt` is probably the "standard" in the sense that it has the widest adoption, but since 2015 [1] the "standard" in terms of what you should recommend for new work has been `argon2id` (and you can find parameter recommendations here [2]).
[1] https://en.wikipedia.org/wiki/Password_Hashing_Competition
[2] https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...
It's an F1 racing site, their job is literally to move fast and break things. https://xkcd.com/1428/
No, this is the FIA[1], not Formula 1. They are very very different organizations.
[1] https://en.wikipedia.org/wiki/F%C3%A9d%C3%A9ration_Internati... https://en.wikipedia.org/wiki/Formula_One_Group
You break things in F1, you lose. Reliability and consistency is key.
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.
Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.
I was blown away while traveling to Europe that -for- GDPR purposes, the property manager of the place we were renting required the passport info of everyone that was staying on the property.
In order to "ensure our information was being handled properly," we needed to hand it over via email, in a shoddy PDF form.
Whatever the intent was of consumer data protection, it has already profoundly been weaponized (at worst), and turned into leaky surface area (at best).
As pointed out, this is unrelated to GDPR.
Many countries in Europe require you to register with the local police any visitors you are hosting and pay a visitor's tax: this is why hotels would ask for the same documents too.
GDPR should help ensure they only keep the passport data until they complete the registration, and then remove it after some time or at your request.
They may have said that process was related to GDPR, but that was either a lie or someone with so little understanding for basic laws that I wonder about their capability to conduct business at all.
Everything about this is prohibited and discouraged under GDPR.
Strange, the site is run by an Ian Carroll, but the examples show Sam Curry, who is a very famous bug bounty hunter.
From the post:
"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
if you look at his other posts, it looks like they collaborate often.
Imagine being a world class F1 driver and (someone) still have to upload your CV somewhere.
Just use a framework to build your site. Don’t reinvent the wheel!
i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.
But maybe do that on a smaller scale personal project?
Reinventing the wheel for Formula 1 driving…
Depending on the wheel, maybe. Nowadays it's more standardized - same rims for example. The tires are standardized.
There's a lot less freedom in reinventing the wheel in formula 1 nowadays
https://www.formula1-dictionary.net/wheels.html
The steering wheel of course isn't even a wheel anymore, for a long time. It's some video game console / airplane cockpit looking monstrosity.
I funnily just read a whole Twitter thread that had this same thesis, not 45 minutes ago... What a small world
It can. But it can be very bad at producing wheels that don't break.
Not if you understand how the wheel works. That's the whole point.
> Just use a framework to build your site. Don’t reinvent the wheel!
How do you arrive at that conclusion after reading an article on how an API had a broken access control vulnerability?
He’s being sarcastic and suggesting using some out of the box rbac thing.
well at least it was a password hash :D
Don't get too excited. They never said what kind of hash. Given the rest of the site's security design, might have easily been unsalted md5
Or maybe rot26 — I've heard it's twice as secure as rot13!
There's probably another rockyou out there waiting to happen