That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hope you got at least free tickets for life out of this.
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.
Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
`bcrypt` is probably the "standard" in the sense that it has the widest adoption, but since 2015 [1] the "standard" in terms of what you should recommend for new work has been `argon2id` (and you can find parameter recommendations here [2]).
"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
Many countries in Europe require you to register with the local police any visitors you are hosting and pay a visitor's tax: this is why hotels would ask for the same documents too.
GDPR should help ensure they only keep the passport data until they complete the registration, and then remove it after some time or at your request.
They may have said that process was related to GDPR, but that was either a lie or someone with so little understanding for basic laws that I wonder about their capability to conduct business at all.
Everything about this is prohibited and discouraged under GDPR.
Mass assignment problems sometimes also come from (improper?) use of frameworks. This goes beyond frameworks and more about how thorough the testing and review of how the user account modification and access control is done.
There are some vulnerabilities frameworks can address wholesale (like CSRF or XSS) as long as you keep to the blessed way of doing things, but they aren't able to save you from a complete failure to build authorization into your API. Like how seatbelts save lives but can't stop you from accelerating directly into a pole if you choose to do so.
i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.
Great to reinvent the wheel for your mom and pop blog, or to teach yourself these concepts and try to break in. But not for authn and authz for something official like this.
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hope you got at least free tickets for life out of this.
Rule 1.
NEVER trust user supplied data.
Once that rule was broken, any other rules broken became clear to everyone
Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.
You'd think that client side security would be something that we'd gotten over by now.
Ian, it would be great to see an RSS feed on your website if you want to gain another regular reader :)
Ian is a great writer
Seconding this
missed opportunity to grant the authors a F1 super license and get the chance to actually drive one of the cars!
If only that's all it takes
That is shamefully poor security.
It's hard to even call it security - it was just wide open...
I will say though, this kind of thing does wonders for my imposter syndrome.
wait until you see the party footage
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.
[0] https://www.justice.gov/archives/opa/pr/department-justice-a...
Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.
Thanks, its cool to hear attitudes have changed.
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
What hash do you use?
bcrypt is the industry standard.
`bcrypt` is probably the "standard" in the sense that it has the widest adoption, but since 2015 [1] the "standard" in terms of what you should recommend for new work has been `argon2id` (and you can find parameter recommendations here [2]).
[1] https://en.wikipedia.org/wiki/Password_Hashing_Competition
[2] https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...
yescrypt is very common these days, default in Debian
It's an F1 racing site, their job is literally to move fast and break things. https://xkcd.com/1428/
No, this is the FIA[1], not Formula 1. They are very very different organizations.
[1] https://en.wikipedia.org/wiki/F%C3%A9d%C3%A9ration_Internati... https://en.wikipedia.org/wiki/Formula_One_Group
You break things in F1, you lose. Reliability and consistency is key.
Strange, the site is run by an Ian Carroll, but the examples show Sam Curry, who is a very famous bug bounty hunter.
From the post:
"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
if you look at his other posts, it looks like they collaborate often.
well at least it was a password hash :D
Don't get too excited. They never said what kind of hash. Given the rest of the site's security design, might have easily been unsalted md5
Or maybe rot26 — I've heard it's twice as secure as rot13!
There's probably another rockyou out there waiting to happen
responsible disclosure made you no money and even after that blogpost you still have to take the l33tcode interview
Imagine being a world class F1 driver and (someone) still have to upload your CV somewhere.
[dead]
[flagged]
As pointed out, this is unrelated to GDPR.
Many countries in Europe require you to register with the local police any visitors you are hosting and pay a visitor's tax: this is why hotels would ask for the same documents too.
GDPR should help ensure they only keep the passport data until they complete the registration, and then remove it after some time or at your request.
They may have said that process was related to GDPR, but that was either a lie or someone with so little understanding for basic laws that I wonder about their capability to conduct business at all.
Everything about this is prohibited and discouraged under GDPR.
All hotels I stay at in all countries require my passport. OK, not the usa but there they want my driver's license.
You were lied to.
Just use a framework to build your site. Don’t reinvent the wheel!
Mass assignment problems sometimes also come from (improper?) use of frameworks. This goes beyond frameworks and more about how thorough the testing and review of how the user account modification and access control is done.
There are some vulnerabilities frameworks can address wholesale (like CSRF or XSS) as long as you keep to the blessed way of doing things, but they aren't able to save you from a complete failure to build authorization into your API. Like how seatbelts save lives but can't stop you from accelerating directly into a pole if you choose to do so.
i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.
Great to reinvent the wheel for your mom and pop blog, or to teach yourself these concepts and try to break in. But not for authn and authz for something official like this.
But maybe do that on a smaller scale personal project?
Reinventing the wheel for Formula 1 driving…
Depending on the wheel, maybe. Nowadays it's more standardized - same rims for example. The tires are standardized.
There's a lot less freedom in reinventing the wheel in formula 1 nowadays
https://www.formula1-dictionary.net/wheels.html
The steering wheel of course isn't even a wheel anymore, for a long time. It's some video game console / airplane cockpit looking monstrosity.
I funnily just read a whole Twitter thread that had this same thesis, not 45 minutes ago... What a small world
It can. But it can be very bad at producing wheels that don't break.
Not if you understand how the wheel works. That's the whole point.
> Just use a framework to build your site. Don’t reinvent the wheel!
How do you arrive at that conclusion after reading an article on how an API had a broken access control vulnerability?
He’s being sarcastic and suggesting using some out of the box rbac thing.