One for @Leo and other F1 fans
3 avid F1 fans and vulnerability hunters decided to see how safe drivers’ information is.
They created an account of FIA websites and then edit their details, they found that the JSON file had more information than just username and password, it also included roles. They then queried the FIA website for roles and found there were roles for FIA employees and Administrator. They changed the JSON file being sent to update their user profile to include the role Administrator. They got a success message back.
Upon logging back in, they had full admin access to the FIA system, including all drivers’ details, internal communications, meeting minutes etc.
They reported it responsibly and the bug was fixed within 24 hours.