我本可以在世界杯上播放《瑞克摇》，只需要我的证件。

我本可以在世界杯上播放《瑞克摇》，只需要我的证件。
I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID

原始链接: https://bobdahacker.com/blog/fifa-hack

一位安全研究人员在2026年世界杯期间发现FIFA数字基础设施存在一个关键漏洞，该漏洞允许未经授权者访问敏感的生产级流媒体控制系统。研究人员仅通过在FIFA公共平台上注册为足球经纪人，便被添加到了FIFA的内部Microsoft Entra租户中。由于后端安全存在缺陷——系统依赖客户端权限检查而非服务器端强制执行——该研究人员绕过了FIFA足球数据平台的访问限制。进入系统后，他们获得了对实时比赛信号的控制权，包括通过暴露的密钥启动、停止和劫持RTMP流的能力。他们还访问了实时解说仪表板、编辑系统和内部电子表格。尽管调查结果十分严重，但由于FIFA未提供安全联系渠道，研究人员被迫联系MediaKind、CISA和FBI以向当局发出预警。该问题在24小时内得到了修复，但FIFA从未对此报告或研究人员做出任何回应。此次事件凸显了后端授权机制的根本性缺失，也强调了FIFA为如此全球性的赛事建立完善漏洞披露计划（VDP）的必要性。

安全研究员“BobDaHacker”最近在国际足联（FIFA）的代理平台中发现了一个关键漏洞，该漏洞可能导致攻击者劫持 2026 年世界杯的直播。通过使用个人 ID 在公共门户网站上注册，该研究人员获得了访问国际足联 Microsoft Entra 租户的权限。由于安全架构设计不当——具体表现为一个仅在客户端验证用户角色的 Angular 应用程序——后端暴露了敏感的 API 接口。这些接口包括所有实时摄像头的 RTMP 采集地址和推流密钥，以及修改官方比赛数据、评论员笔记和实时计分系统的权限。研究人员通过使用 VLC 成功访问实时画面，证实了该漏洞的严重性。如果漏洞被恶意利用，攻击者可以将全球电视广播内容替换为任意内容。Hacker News 上的讨论强调了这种巨大疏忽的荒谬性，开发者 Zach Holman 指出，他在国际足联 2022 年的系统中也有过类似经历，当时系统中存在安全漏洞，但不仅没有获得正式奖励，反而遭遇了冷处理。

原文

They fixed it without ever responding to me. I had to call FIFA, MediaKind, HBS, CISA, and the FBI at 3am Tokyo time just to get someone to listen. This is that story.

It Started With a Football Agent Registration

So FIFA has this thing called the FIFA Agent Platform. It's a public portal where you can register to become a licensed football agent. You submit your ID, verify your email, and you're in. Simple enough.

What I didn't expect was what happened next.

When you register on agents.fifa.org, FIFA adds your account to their Microsoft Entra tenant (formerly Azure AD). That's the same tenant that powers all of FIFA's internal platforms. And I mean all of them.

My first two attempts actually failed because the lighting on my ID photos wasn't good enough:

FIFA registration failed
"Registration failed during the last step of checking your identification." - apparently FIFA has higher standards for my selfie than my actual security

But the third attempt went through. And I received this beautiful email:

FIFA FAP confirmation email
Subject line: "FIFA - FAP - CONFIRMATION". Yes, FIFA's Agent Platform is officially called FAP. I cannot make this up. FAP CONFIRMATION. Moving on.

The "Access Denied" That Wasn't

After registration, I tried navigating to fdp.fifa.org - FIFA's Football Data Platform. The app authenticated me through the shared Entra tenant, checked my roles, found I had none, and showed me:

"Sorry, you do not have any FIFA Football Data Platform role assigned to your account."

Looks like it works, right? Access denied. Go away. Nothing to see here.

Except this was all client-side. The Angular app checked the JWT for a NO_ROLES marker and rendered the access-denied page. The backend APIs? They didn't check anything. They just served whatever you asked for.

Welcome to the Streaming Management Panel

After bypassing the client-side guards, I landed on the Streaming Management panel. And my jaw hit the floor.

Streaming Management panel showing all World Cup matches
Every single FIFA World Cup 2026 match. With streaming controls.

This wasn't some dev environment. This wasn't test data. This was the live production Streaming Management panel for the FIFA World Cup 2026. Every match. Every camera angle. Every RTMP ingest URL. Every stream key.

Let me expand one of those matches so you can see what I mean:

Expanded match showing all five camera RTMP URLs
Five camera angles per match: PGM, Tactical, Camera1, High Behind Left, High Behind Right

Each match had five camera feeds, each with:

An RTMP ingest URL (where the camera sends video TO)
A preview manifest (where you can WATCH the feed)
An output URL (the HLS manifest that goes to broadcast partners)

The RTMP ingest URLs looked like this:

rtmp://in-6c81fc99-513f-4c76-82c2-877e0b93f2ea.westeurope.streaming.mediakind.com:1935/96886a14-9987-420f-814c-2f7cec5408ae

That UUID at the end? 96886a14-9987-420f-814c-2f7cec5408ae. That's the stream key (not a real one). It's shared across all five camera angles for the same match. One key to rule them all.

The streaming infrastructure is hosted on MediaKind, FIFA's streaming technology partner. These are production endpoints. The same ones receiving live camera feeds from stadiums across the US, Mexico, and Canada.

I Opened VLC. It Was Live.

I had to confirm the preview manifests actually worked. So I copied one into VLC.

VLC playing a live World Cup tactical camera feed
That's a live tactical camera feed from an active FIFA World Cup 2026 match. Playing in VLC. On my PC. In Tokyo.

I closed it immediately. But the damage was done (to my brain). Those preview URLs serve live video. During active matches. To anyone with the URL.

I Could Have Stopped the Streams

It wasn't just read access. The Streaming Management panel had full controls. Start, stop, schedule. For every match. Every camera angle.

Stream control confirmation dialog
One click. That's all it would take to kill a live World Cup camera feed.

I did not touch any of these controls. But they were there. Functional. Waiting for anyone with a NO_ROLES account to press them.

The Nuclear Option

Let me spell out what this means.

Those RTMP ingest URLs are the literal pipe from the stadium cameras to FIFA's broadcast distribution chain. Camera -> RTMP ingest -> MediaKind -> broadcast partners -> your TV.

If an attacker pushed video to one of those RTMP endpoints with the stream key (which is RIGHT THERE in the URL), they would replace the camera feed. The PGM (Program) feed is the main broadcast output. Replace that, and every TV network receiving the FIFA feed shows whatever you pushed.

The stream key is shared across all five camera angles per match. A single attacker could hijack every camera simultaneously.

An attacker could have rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match.

I did not test this. I did not push anything to any RTMP endpoint. But the infrastructure was wide open.

But Wait, There's More

The Streaming Management panel wasn't the only thing exposed. My NO_ROLES account had access to the entire platform.

FDP navigation showing full access
Competitions, Matches, Teams, Tools, Exchange Platform, Analysis Dashboard, Commentator Information System, FIFA AI Pro, Admin. All accessible.

The platform also had a full live match dashboard with an embedded video player, real-time event timeline, and match officials data:

FDP match overview with live video
Côte d'Ivoire vs Ecuador, live. Embedded video feed, yellow card timeline, match officials. The "LIVE" badge isn't decorative.

Advanced Analytics (Live Match)

Advanced Analytics showing live possession and attempt data
Live possession control, attempt creation breakdowns, ball recovery timing, distance covered, and FIFA AI Pro integration

Match Management (Write Access)

Here's where it gets worse. The Management tab on fdp.fifa.org has write operations. And the backend accepts them from a NO_ROLES account.

Update Live Stats modal with Edit and Publish button
"Update Live Stats" with a rich text editor, match time, match score fields, and an "Edit and Publish" button

Match management buttons
Attendance, Possession, Post Match Statistics, Team Registration Statistics, Analysis Finished, Score and Statistics, Adjust Kick-off Moment, Performance Data, Send Tactical Lineup, Event Ingress Details

An attacker could:

Modify editorial commentary notes and publish them to broadcast systems
Adjust the official kick-off moment
Send tactical lineup data
Change scores and match statistics

This data feeds into the Commentator Information System and gets displayed on live television.

The Commentator Information System

cis.fifa.org was also accessible with the NO_ROLES account. This is the real-time dashboard that broadcast commentators use during live matches.

CIS main dashboard
The FIFA World Cup 2026 dashboard. Live scores, upcoming matches, results.

CIS live match view
Côte d'Ivoire vs Ecuador, 75th minute. Full tactical view with player positions, formations, live stats, substitution timeline, and squad data.

When a commentator says "fun fact, Enner Valencia at 36 years and 222 days is the oldest outfield player to make a FIFA World Cup appearance for Ecuador" - this is where that comes from. My account could see every editorial note, every pre-match stats kit, every talking point prepared for every match.

The Exposed Dev Environment

As a bonus, I also found an Azure Function App at xxxxxxxxx-spreadsheets-api.azurewebsites.net that returned metadata and direct Azure Blob Storage download URLs for 23 internal FIFA files.

{
    "Size": 10,
    "Skip": 0,
    "Total": 23,
    "Items": [
        {
            "Name": "00_TransferCount_in_ENGLISH.xlsx",
            "BlobPath": "https://xxxxxxxxx.blob.core.windows.net/spreadsheet-storage/00_TransferCount_in_ENGLISH.xlsx"
        },
        {
            "Name": "0_pending_transfers_example.xlsx",
            "BlobPath": "https://xxxxxxxxx.blob.core.windows.net/..."
        },
        {
            "Name": "Debbie.xlsx",
            "BlobPath": "https://xxxxxxxxx.blob.core.windows.net/..."
        }
    ]
}

Transfer reports, revenue comparisons, board-level representation data, referee and coach statistics. And whatever Debbie.xlsx is. All accessible with zero role checks.

The Absolute Nightmare of Reporting This

OK so I found all of this while the World Cup was underway. Matches are happening. The RTMP URLs are active. Stream keys are exposed. And FIFA has no bug bounty program, no security.txt, and no published security contact.

What followed was the most stressful night of my life.

Attempt 1: Email

I fired off the full disclosure to every FIFA email I could find or guess:

[email protected], [email protected], [email protected], [email protected], and some employee emails.

Five of them bounced. The rest went into the void. No response.

Attempt 2: WhatsApp

I found Sebastian Runge (Head of Football Technology & Data at FIFA, 14 years at the org) on LinkedIn. His phone number was listed. I WhatsApped him. No response.

Attempt 3: FIFA HQ Phone

Called +41 43 222 7777. Closed. It was Sunday evening in Zurich.

Attempt 4: The FIFA Media Line

Called +41 43 222 7272. Also closed.

Attempt 5: The Dallas Convention Center

The IBC (International Broadcast Centre) is at the Kay Bailey Hutchison Convention Center in Dallas. I called +1 (214) 939-2700. Got voicemail. Left a message.

Attempt 6: MediaKind

This was the breakthrough. I called MediaKind's toll-free line +1 833 211 8472. Someone picked up. They understood the issue immediately. They asked me to email the details with the stream keys as proof. I did.

Attempt 7: HBS (Host Broadcast Services)

Called +41 41 726 0090. They said they didn't have anyone who could help and hung up. Called back. No answer.

Attempt 8: Infront Sports & Media

Called +41 41 723 15 15 (HBS's parent company). No answer.

Attempt 9: CISA

Here's where things got interesting. I discovered that CISA (Cybersecurity and Infrastructure Security Agency) is the federal lead on cybersecurity for the FIFA World Cup 2026, including broadcast systems. I called their 24/7 operations center at +1 888 282 0870.

They picked up. They listened. They asked me to email the details. I did.

Attempt 10: The FBI

I have existing contacts at the FBI from previous cybersecurity work. I messaged them on Signal. They responded, said they had contacts and needed to package it the right way.

The Timeline

When	What
Night	Found the Streaming Management panel. Jaw hits floor.
Night	Opened preview manifest in VLC. Confirmed live. Closed immediately.
Night	Sent disclosure email to 10+ FIFA addresses. 5 bounced.
Night	WhatsApped Sebastian Runge.
Night	Called FIFA Zurich. Closed. Called FIFA Media line. Closed.
Night	Called Dallas Convention Center. Voicemail.
Night	Called MediaKind. Someone answered. Sent full report with stream keys.
Night	Called HBS. They hung up. Called back. No answer.
Night	Called CISA 24/7 line. They listened. Sent report.
Night	Messaged FBI contacts on Signal. They responded.
Next day	Vulnerability fixed. No response from FIFA.

The Root Cause

The whole thing boils down to one architectural mistake: client-side authorization with no server-side enforcement.

FIFA's internal applications use Microsoft Entra for authentication and role-based access control. The Angular/React/Vue frontends check the JWT token for role claims and render access-denied pages accordingly. But the backend APIs trust any authenticated tenant member and serve data regardless of roles.

The attack chain:

Register on agents.fifa.org (public)
Get added to FIFA's Entra tenant
Authenticate against any FIFA internal app
Client says "access denied"
Server says "here's everything"

This pattern affected at least:

fdp.fifa.org (Football Data Platform)
cis.fifa.org (Commentator Information System)
xxxxxxxxx-spreadsheets-api.azurewebsites.net (dev environment)

And potentially others using the same tenant.

The Fix

Sometime between my reports and the next morning, the vulnerability was patched. My NO_ROLES account returns 403 responses from the server, not just the client.

FIFA never responded. Not to acknowledge the report. Not to say thank you. Not to discuss compensation. Nothing.

But they did leave me on the FDP email distribution list. I'm still receiving official FIFA World Cup 2026 match documents: Start Lists, Tactical Lineups, Full Time Match Reports. All sent from [email protected]. In four languages.

To FIFA

You fixed it fast. Credit where it's due. But:

Get a security.txt file. Seriously. It's 2026.
Publish a VDP (Vulnerability Disclosure Policy). You're running the biggest sporting event on earth.
Client-side authorization is not authorization. Every intern learns this.
When a researcher has to call CISA and the FBI to reach you, something is wrong.
Hire me (just kidding... unless?)

So long and thanks for all the Fish :3

Still think about those RTMP stream keys sometimes. Somewhere in a parallel universe, billions of people are watching Subway Surfers gameplay during the World Cup final. All it took was an ID.