Mastodawn

⚽ New Blog Post: I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

Registered on FIFA's public Agent Platform, got added to their Entra tenant, and accessed the Streaming Management panel for every live World Cup 2026 match. RTMP ingest URLs, stream keys, all five camera angles. Confirmed live in VLC. An attacker could have replaced live camera feeds on TV worldwide.

Full writeup: https://bobdahacker.com/blog/fifa-hack

#InfoSec #BugBounty #ResponsibleDisclosure #FIFA #WorldCup #Security #CyberSecurity #RTMP #BrokenAccessControl

I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

How I found that anyone could register on FIFA's public Agent Platform, gain access to the Football Data Platform's Streaming Management panel, and get RTMP ingest URLs and stream keys for every live FIFA World Cup 2026 camera feed. I then spent hours calling FIFA, MediaKind, HBS, CISA, and the FBI trying to get someone to pick up the phone.

Show thread

Nils

@bobdahacker It doesn't make sense that these are supposed to be the TV broadcast streams.
On every comparable event those feeds never touch the public internet. I would think that the stadiums are connected to the broadcast center via dark fiber or something similar. Same with the connection to the national broadcasters (although some connections still go out via satellite).

Show thread

BobDaHacker 🏳️‍⚧️5h ago

@n I get the skepticism but the PGM feed I pulled up in VLC was the full broadcast output with FIFA's graphics overlay, scoreboard, match clock, everything. That's not a low quality ancillary feed for agents to watch. And MediaKind is literally a broadcast distribution platform, that's their entire product. The RTMP ingest goes into MediaKind and then gets packaged out to broadcast partners via HLS and other protocols. The stadiums don't need dark fiber directly to every national broadcaster, that's what MediaKind is for. It sits between the stadium feeds and the TV networks. That is the product. That's what they do.