BobDaHacker 🏳️‍⚧️2d ago

⚽ New Blog Post: I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

Registered on FIFA's public Agent Platform, got added to their Entra tenant, and accessed the Streaming Management panel for every live World Cup 2026 match. RTMP ingest URLs, stream keys, all five camera angles. Confirmed live in VLC. An attacker could have replaced live camera feeds on TV worldwide.

Full writeup: https://bobdahacker.com/blog/fifa-hack

#InfoSec #BugBounty #ResponsibleDisclosure #FIFA #WorldCup #Security #CyberSecurity #RTMP #BrokenAccessControl

I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

How I found that anyone could register on FIFA's public Agent Platform, gain access to the Football Data Platform's Streaming Management panel, and get RTMP ingest URLs and stream keys for every live FIFA World Cup 2026 camera feed. I then spent hours calling FIFA, MediaKind, HBS, CISA, and the FBI trying to get someone to pick up the phone.

Show threadNils5h ago
@bobdahacker I'm sure they're sending out more than five camera angles.
It's a 4K production with Dolby Atmos etc. Do you really think that they use RTMP streams, encoded with something like H.264 or H.265, sent to some random Azure box?
That is all very unlikely. I looks to me that these are lower quality ancillary cameras and feeds, exclusively for that Agent Portal.
Show threadBobDaHacker 🏳️‍⚧️
@n There are definitely more than five camera angles at the stadium, I never said there weren't. Most of the cameras aren't even owned by FIFA, they're operated by broadcast partners. These five on the Streaming Management panel are FIFA's own cameras. Four of them (Tactical, Camera1, High Behind Left, High Behind Right) are cameras FIFA can move, and the PGM feed is the one where they switch between cameras at will and add the broadcast graphics overlay. All five had RTMP ingest URLs on the panel. Also RTMP supports 4K just fine, Enhanced RTMP handles H.265/HEVC. There's no resolution cap on the protocol.
4:55pmWeb
Show threadNils5h ago
@bobdahacker Yes, I am aware, but it just doesn't look like actual broadcast infrastructure.
Show threadBobDaHacker 🏳️‍⚧️5h ago
@n
Fair enough, we can agree to disagree. But MediaKind literally describes itself as providing "end-to-end video delivery solutions" for "broadcasters" running on "cloud-native solutions" MediaKind . Their broadcast page says they deliver "thousands of live events and billions of streams every year." MediaKind The NBA literally invested in MediaKind because they power NBA League Pass streaming The Sports Playmaker . This is what they do. They sit between live event production and distribution to viewers and TV networks. It doesn't have to "look like" traditional broadcast infrastructure because cloud-based distribution is how this stuff works now. The IBC article you linked kind of proves my point, the people there are producing the PGM feed, switching cameras, adding graphics, managing scores. That produced output has to go somewhere for distribution, and that's what MediaKind handles.
Company - MediaKind

MediaKind