29 comments

[ 3.3 ms ] story [ 50.0 ms ] thread
Registered on FIFA's public Agent Platform with my ID, got added to their Microsoft Entra tenant, and found the Angular app only checked roles client-side. The backend APIs served everything: RTMP ingest URLs and stream keys for every live World Cup 2026 camera feed across all five angles. Confirmed live in VLC. An attacker could have pushed arbitrary video to the ingest endpoints and replaced broadcast feeds on TV worldwide. Write access to match stats, commentator notes, and the live score system was also exposed.
(comment deleted)
How could that possibly, ever have made it through. Every single API for every single service didn't check the JWT?
Really amusing to read this one. I did something similar for Qatar 2022 and got access to roster submission (https://zachholman.com/posts/hacking-fifa). To their credit they patched it pretty quickly, but their promised "token of appreciation" never came. (Although on the other hand, they didn't sue me, so I guess that's a win.)
Awesome read! Congratulations on discovering this and reporting. Hope you get something back from FIFA. This could've lead to some huge disaster if it failed under the wrong hands.

Love your writing skills as well!

> I closed it immediately. But the damage was done (to my brain).

Laughed so hard when I read this one :D

Holy crap. Had to pick my jaw up off the floor. I hope you get some kind of acknowledgement or bounty for this. Kudos for having the willpower to resist sending a message to millions of people and sparking a global phenomenon!
> Replace that, and every TV network receiving the FIFA feed shows whatever you pushed.

Holy shit, Rickrolling is among the more harmless things you could have done with that.

Great article! You must be pretty confident to click the "stop streaming" button without knowing whether a confirmation modal will pop up or not
Clearly a big f-up by FIFA on what looks like quite a tidy platform otherwise.

One question though, how do you know your feed would kick off the 'real' feed if you pushed to RTMP, does it just take the most recent connection as live? Does the protocol have a mechanism for dealing with multiple people pushing to the same endpoint? There maybe more checking on that endpoint and if course I'm sure most live broadcasters would have a live director to cut any feeds at their end if a dodgy feed popped up too.

A huge vulnerability nonetheless and a great write up!

Please stop using AI to write for you, it ruins what is otherwise a fascinating story, and on reflection I struggle to trust it.

If you used AI to generate the blog post, did you use AI to generate the screenshots and story?

(comment deleted)
I don't understand why people obsess over LLM(AI)format. The content is interesting, but they dismiss it just because the format is an issue. All of this content is worth reading and is good. And it's about security.
> Client says "access denied"

> Server says "here's everything"

hahahaha

> Hire me (just kidding... unless?)

FIFA is a legendarily awful organization. In my weaker moments reading your piece I thought to myself how nice it would have been if someone more ruthless than you had been made an example of them.

You hit the jackpot on security research, but you cannot take like an hour or two to at least get rid of the AI smell? Please do use AI, nothing against that, all I'm saying is please, please don't deliver this weirdness:

> I did not touch any of these controls. But they were there. Functional.

I really needed to push myself to read because it was very interesting and thank you, for doing the work and sharing.

That was really cool! It was one of the impressive exploit i have ever read about. I really hope they give you something in return for your service, at the very least a thank you.
This is honestly one of the only instances where I am like "you're an idiot for reporting this". The amount of reach, provided the feeds can indeed be overriden, is absolutely insane. Paired with how shitty of an org FIFA is, I personally would have just leaked this.
This happens more often than you would think.

During COVID, lots of live shows (concerts, etc.) in Japan moved to streaming (and most of them stuck, so thanks to that, lots of large concerts today have real-time streaming, which is great for foreign fans).

Out of 10+ platforms, more than half have vulnerabilities that allow you to access the content freely (sometimes including the rehearsals, because they are also streamed internally), and on a handful, you can access the admin panel and, as the author said, stream whatever you want.

Most of them have been patched over the years (some are just the byproduct of them changing the backend/SaaS provider, though), but there remain some major providers where you can get content for free.

> FIFA never responded. Not to acknowledge the report. Not to say thank you. Not to discuss compensation. Nothing.

If this is true, why help them if they do not take their own security seriously, especially if they have vibe-coded their auth backend server?

(comment deleted)
Do you know these feeds actually go to broadcasters? They could be internal feeds for refs, match review, head office monitoring, etc.

The broadcast contribution feeds I’ve seen in the past are MPEG-TS, not via RTMP.

Still a great find.

you're right, it's not the international signals, but internal distribution only
I'll write a full article in a year or two, but here's the short version: some weeks ago, as I was looking for job offers, I found one that was interesting. As I didn't knew the company, I wanted to do my due diligence and check them out. I open the website and find a ClickFix (the "prove you're not a bot" type) attack on their main page.

I spent over 2 hours and a small (but bigger than 0) amount of my own money to report the issue by emailing and even trying to call them (they didn't have any dedicated responsible disclosure page or contact). After some time, they finally answered my emails, took down the website and "fixed" the issue.

When I finally applied for the role, got ghosted for a week and only after I wrote them again, asking for an update, I got rejected as they allegedly were looking for someone more junior - though the job title was explicitly "Senior XXX Lead".

Some years ago, I went to interview (in person) at a big European financial institution. As I got there around lunchtime, I happened to get to the front door at the same time as some employees were returning from lunch who, very kindly, held the door open for me.

I was in their office around their computers, unsupervised and unaccompanied, for 10-15 minutes, enough time to plant some O.MG USB-C cables.

During the interview, I had a chance to talk to the CTO and told them what happened and how I was allowed access in the office, and immediately saw his face change and quickly change topic, and end the interview.

Unsurprisingly, I didn't get the job - I should have probably kept my mouth shut.

JWTs strike again.

encrypted cookies still work & they're stateless. & yeah you can pass cookies between servers & also server - S.P.A.

to BoBDaHacker - great research but slow down on the a.i writing.

> They understood the issue immediately.

I'm guessing this is not the first time this happened to them.