Over the July 4th weekend, on the eve of the Austrian Grand Prix, racing fans worldwide received some very odd push notifications from the official Formula 1 app. Apparently, these notifications are linked to a targeted cyberattack.
Users received two messages. The first simply read “foo”, which is a placeholder name for program elements often used by programmers when sharing sample code with their peers. Although it was strange, the message was hardly considered alarming.
The second text was a bit more startling: “Hmmmm, I should check my security.. 🙂”
Image Source: The Register
As reported by Forbes, it appears that the pair of unauthorized messages was the extent of the attack. According to an F1 spokesperson, their investigation confirms that this targeted attack was limited to the Push Notifications Service.
Formula 1 statement pic.twitter.com/L1LEwb1Ifc
— The Official F1® Help Channel (@F1Help) July 4, 2021
Although the statement should be reassuring to F1 app users, it’s possible that something shadier is actually happening. There is the possibility that a threat actor was looking for entry points into more sensitive systems.
The other option would be that a white hat hacker was looking for vulnerabilities. Nevertheless, as Lee Mathews reports, the target would have received some sort of notification so that any vulnerabilities that were found could be addressed before they were exploited by threat actors.
Recently, push notifications have proved a problem for some of the higher-profile services, including video slinger HBO Max who sent out an “Integration Test Email” notification just last month. The email sent by HBO was delivered through Sendgrid, a popular email marketing platform used by many companies, and it was likely a marketing test that got blasted out to all registered HBO Max accounts by mistake.
In the case of Formula 1, the company appears to have been the victim of miscreants prodding the outfit’s defenses, which could be anything from a vulnerable service to a poorly secured device.
F1 and users of the F1 mobile app are fortunate that there weren’t any cryptocurrency scams, phishing attacks, or malicious links involved.