The official Formula One app was the subject of a targeted hack after users received a series of bizarre push notifications.
Users of the app were made aware of the hack after receiving two messages. The first one simply read “foo” – a term generally used in coding as a placeholder value, especially when sharing code with other programmers.
The second message provided users with a little more clarity: “Hmmmm, I should check my security.. :)”
In comments to US sports broadcaster ESPN, Formula One confirmed that hackers were able to briefly gain control of app and send out two push notifications.
“Our investigation confirms that this targeted attack was limited to the Push Notifications Service,” a Formula One statement reads.
“We will continue to investigate, review and improve safety measures but, at this time, have no reason to believe that any customer data has been accessed during this incident.”
The organisation added that it has no reason to believe that the hackers were able to compromise user data.
The exact nature of the hack has yet to be determined. Whether it was perpetrated by malicious actors probing the app for points of entry, or white hat hackers checking it for vulnerabilities are two possibilities. At any rate, organised cybercriminals would be highly unlikely to announce their presence before they had been able to access something of value, in this case, most likely user data.
The messages were sent over the weekend of the July 3rd and 4th, which coincided with the US Independence Day.
- The top Scottish tech companies to watch in 2021
- Pentagon cancels controversial $10bn ‘JEDI’ cloud contract
- British Airways reaches settlement on data breach compensation
While the Formula One app hack seems to have been largely limited, the security ramifications could potentially be serious. Fake and hacked apps provide a vector for hackers to hijack other apps, or even a user’s phone.
For example, a fake version of popular social media app Clubhouse was found earlier this year to spread malware that scraped login details from a victim’s phone.
A similar app, this time a fake Netflix content enabler, would hijack a user’s WhatsApp account, and use the messaging app to send autoreplies to spread itself further.