Researchers discover vulnerability on the FIA website that exposes drivers data

On June 3, 2025, researchers Gal Nagli, Sam Curry, and Ian Carroll reported a critical vulnerability in the International Automobile Federation (FIA) driver classification portal. The vulnerability allowed a user with limited permissions to change their own role within the system (for example, from normal user to administrator). Thanks to this role change, they could gain access to the FIA portal's administration panel, which is normally restricted to authorized personnel only.

From this portal, the researchers noted that it was possible to view and download confidential driver information, including passports, resumes, password hashes, and other personal information, as well as internal communications between users and employees.

The FIA responded to the researchers' warning by deactivating the portal to mitigate the risk and correct the error. The vulnerability was caused by a failure in the access controls to the API of the portal.

On June 10, the vulnerability was patched and the driver categorization portal was restored. The FIA also conducted an investigation that confirmed that the vulnerability had not been exploited by a malicious attacker.

Finally, the FIA, in collaboration with the researchers, has assured that it will take additional measures to strengthen the security of its platforms and prevent future incidents. In addition, it has indicated that it will follow the appropriate procedures to notify affected users in accordance with privacy and data protection regulations.