Just days before the 2025 Mexican Grand Prix, a group of cybersecurity researchers uncovered a critical vulnerability in an official portal of the Fédération Internationale de l'Automobile (FIA), which allowed unrestricted access to confidential information on several drivers — including personal documents belonging to Max Verstappen.
The flaw was discovered by Gal Nagli, Sam Curry, and Ian Carroll, who published technical details on how they were able to access the system at driverscategorisation.fia.com — a key platform where drivers apply for or update their professional licenses. Incredibly, the portal didn’t verify permissions from those submitting information, meaning a simple instruction like “Make me an admin” was enough to gain full administrator access.
“The server trusted anything we sent to it without checking whether we had the right to change those fields,” Nagli explained on X (formerly Twitter).
With that level of access, the researchers were able to enter the FIA’s admin panel and view everything from ID documents and licenses to internal emails between staff and certification committees. While the access was ethical and responsibly reported, the incident raises serious concerns about cybersecurity at the heart of the world’s most high-tech sport.
This scandal comes at a particularly sensitive time for F1, with media attention focused on the upcoming race in Mexico — and with Verstappen among the most closely watched and exposed drivers in the breach.
The portal driverscategorisation.fia.com — where drivers and applicants request their official classification (Bronze, Silver, Gold, or Platinum) — allows any user to create an account, upload their racing history, and await evaluation by the FIA committee.
During a routine review using a regular user account, the cybersecurity researchers noticed something strange in the server’s response: a field called “roles” appeared, listing the various access levels available.
Curious, they modified that field in the request sent by the browser. When they logged in again with that small change, the site’s interface completely transformed — no longer showing a driver profile, but the full administrative panel.
“We became administrators with a single request,” Ian Carroll wrote in his technical blog.
From there, the researchers accessed all the internal tools of the system: driver applications, personal documents, staff comments, and even user management functions.
To verify the full scope of the vulnerability, the team searched for the profile of Max Verstappen, the current three-time world champion — and they were indeed able to view documents such as his passport, racing license, professional résumé, and emails exchanged with the FIA.
That said, they acted responsibly: they made it clear they did not download, share, or store any confidential information. They only took screenshots as technical evidence to report the issue.
“We confirmed the vulnerability existed, took sample screenshots, and immediately stopped testing. No driver data was compromised by us,” explained Gal Nagli on X.
But the risk went far beyond personal files. The researchers also found internal messages regarding driver performance, private evaluations, and sensitive decisions made by certification committees — all of which could have been easily tampered with by a malicious actor.
Read more: The Hidden Cost of Supply Chain Breaches (And How to Stop It)
As soon as they identified the issue, the researchers reported it directly to the FIA on June 3, 2025, using both email and LinkedIn to ensure the message got through. The response was swift: that same day, the FIA took the website offline to investigate thoroughly.
One week later, on June 10, the organization confirmed that it had applied a comprehensive security patch, permanently closing the vulnerability.
The experts praised the FIA’s response:
“We worked with the FIA to resolve the issue immediately. We're grateful to the team for taking it seriously and reacting quickly,” Nagli wrote on X.
The vulnerability was finally disclosed publicly on October 22, 2025 — just four days before the Mexican Grand Prix, one of the most high-profile events on the Formula 1 calendar.
Though the issue has now been resolved, the incident sends a stark warning: even the world’s biggest and most technologically advanced organizations are vulnerable to basic security flaws.
The fact that a simple request modification could grant full backend access to an official FIA system is a critical failure — one that could have been exploited with far more serious consequences.
Had it fallen into the wrong hands, this vulnerability could have led to identity theft, leaked contracts, tampered driver records, or even manipulated evaluations that directly influence sporting decisions.
And in a sport like Formula 1 — where every data point, millisecond, and strategy matters — this kind of breach doesn't just threaten driver privacy, it could directly impact performance and competitive fairness.
According to experts, this flaw is an example of a well-known issue called “mass assignment” — a fairly common vulnerability in poorly configured APIs. In simple terms, the system doesn’t filter which data a user is allowed to change, and ends up accepting any value sent to it — even if that means turning someone into an administrator.
This kind of error might sound technical, but its impact is very real: it allows anyone with basic web development knowledge to send commands to the server and gain access they should never have. From there, the risks range from account tampering to document theft and even internal sabotage.
This incident was contained in time, but it leaves behind a crucial lesson: digital security can no longer be treated as an afterthought in modern motorsport.