GARTNEREquixly in Gartner's Hype Cycles 2025
Book a call

Lessons from the Formula 1 API Vulnerability

Lessons from the Formula 1 API Vulnerability

In late October 2025, the cybersecurity researcher Ian Carroll discovered a serious vulnerability in an FIA (Fédération Internationale de l’Automobile) web portal—the system responsible for managing racing driver licenses and categories.

The security flaw exposed sensitive personal data, including copies of passports and ID documents, for hundreds of professional drivers. One of them was the high-profile Formula 1 driver Max Verstappen. The problem stemmed from an insecure access control in a public-facing API.

This issue was responsibly disclosed by the ethical hacker and promptly patched by FIA, so it didn’t end in an actual data privacy failure. Still, it highlighted a recurring pattern across many organizations: Vulnerable APIs are behind many modern breaches, and even well-funded organizations can expose sensitive data through simple logic or access-control flaws.

We see this incident as a textbook example of how timely API security testing can detect and prevent vulnerabilities long before they become breach headlines.

What Happened?

In short, Ian Carroll and his collaborators found that:

  • The FIA web application’s API accepted a driver ID parameter without properly validating user permissions.
  • Attackers could enumerate IDs and retrieve sensitive driver data through insecure direct object references (IDOR).
  • The API response included highly sensitive PII, such as passport scans and contact information.

In technical terms, this was a combination of Broken Object Level Authorization (BOLA) and excessive data exposure vulnerabilities, as defined in the OWASP Top 10 API Security Risks – 2023. The result was the unintended disclosure of sensitive personal information.

Manual Vulnerability Discovery: Effective but Unsustainable

What Carroll and his colleagues did here was essentially manual penetration testing. And it’s one of the best ways to find API vulnerabilities that routinely fly under the radar of traditional web application security solutions, such as DAST, WAF, and WAAP.

However, the problem is that manual penetration testing typically occurs once or twice a year, either after a release or during compliance audits. While it’s hard to deny its value, as indicated by this API vulnerability discovery, this approach is hardly feasible in the current API development and threat climate (especially if we factor in the growing role of APIs in the widespread adoption of AI agents):

  • Static coverage: Manual testers can’t feasibly test every endpoint or parameter combination.
  • Time-limited engagement: Vulnerabilities introduced between tests remain undetected for months.
  • Inconsistent validation: Developers may deploy new code without retesting existing endpoints.
  • High price point: Deliberate penetration testing, as part of a strategic security plan, can be extremely costly, especially when performed by highly experienced, talented, and skilled penetration testers or external penetration testing services.

The much more feasible solution? Automated, continuous API penetration testing, enhanced by AI-driven agents that emulate attacker behavior at scale.

Toward Continuous API Security

An AI-assisted API security testing platform like Equixly would have detected this vulnerability during development or QA. And here’s how:

  • Dynamic API discovery: Equixly automatically maps all accessible endpoints, including those not documented in the API specification.
  • Access control testing: The platform tests how endpoints respond to unauthorized requests and systematically detects IDOR and privilege escalation issues.
  • Continuous validation: Since Equixly integrates into CI/CD pipelines, every code change triggers security regression tests, ensuring that vulnerabilities don’t reappear.

By notifying FIA development and security teams of the access control flaw during staging, and triggering an appropriate response, Equixly could have prevented this exposure before it ever reached production.

A Sensitive Data Exposure Vulnerability Discovered and Shown in Eqyuxly' Dashboard

Lessons for Security and DevOps Teams

The FIA case is a reminder that API security isn’t just about firewalls and compliance—it’s about systematic validation on a large scale.

Lessons learned:

  • Automate for frequency and depth: Use automation for tasks such as API scanning, access control tests, and parameter fuzzing to enable more frequent, in-depth testing that human teams can’t easily replicate.
  • Integrate security early: Shift left and incorporate security throughout the CI/CD pipeline, not just at the end.
  • Continuously test API behavior: New vulnerabilities can emerge from minor, almost imperceptible changes.
  • Treat security as an engineering discipline, not a checklist.

Conclusion: Build Security Like You Build Software

Security incidents, such as the FIA vulnerability, are preventable. They’re not about bad intent—they’re about missing guardrails. Just as physical barriers and chicanes are introduced on a racetrack to manage speed and prevent catastrophic accidents, automated security measures must be built into the API life cycle to make sure that minor mistakes do not lead to major (security) crashes.

Equixly’s mission is to make those guardrails automatic, consistent, and scalable.

By combining continuous API discovery, automated security testing, and real-time validation, organizations can eliminate vulnerabilities before they reach production—and before they make headlines.

Book a demo: See how Equixly helps security and development teams prevent API vulnerabilities like this one.

FAQs

What caused the Formula 1 (FIA) API vulnerability?

It was caused by insecure access controls in a public-facing API that allowed unauthorized access to driver data through ID enumeration.

How could automated API security testing have prevented this?

Automated, continuous testing would have detected the broken authorization and data exposure issues during development, that is, before the system went live.

What is the main lesson for security and DevOps teams?

API security must be continuous, automated, and integrated into the development process from the very outset.

Zoran Gorgiev

Zoran Gorgiev

Technical Content Specialist

Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.
Security

Others from our blog