Hacker News new | ask | show | jobs
by BobDaHacker 4 days ago
Registered on FIFA's public Agent Platform with my ID, got added to their Microsoft Entra tenant, and found the Angular app only checked roles client-side. The backend APIs served everything: RTMP ingest URLs and stream keys for every live World Cup 2026 camera feed across all five angles. Confirmed live in VLC. An attacker could have pushed arbitrary video to the ingest endpoints and replaced broadcast feeds on TV worldwide. Write access to match stats, commentator notes, and the live score system was also exposed.
3 comments
pjmlp 4 days ago
As someone that also wears security hat from time to time, regarding devs best practices, that is a very common failure in SPAs, client side only validation.

There is always some fun showing teams how easy it is to bypass with a plain browser and developer tools window open.

link
swader999 4 days ago
Could have made a killing off of poly market and rick rolled ftw.
link
hackerdood 4 days ago
Given that they had to hand over their identity to get access, seems like a 1-way ticket to prison (assuming FIFA logs events like that, which honestly I’m not so sure about anymore).
link
antonvs 4 days ago
> Hire me (just kidding... unless?)

Would you really want to work for one of the world’s most notoriously corrupt organizations?

link
BobDaHacker 4 days ago
I am not much of a football gal myself, so I didn't know they were a shitty org.
link
antonvs 3 days ago
I don't follow football in the slightest, but these have been major media stories. See: https://en.wikipedia.org/wiki/2015_FIFA_corruption_case

Not saying "you should have heard of it", just giving info.

The US DOJ investigation found over $150 million in bribes and kickbacks over two decades. This led to dozens of criminal indictments, and ongoing legal battles over the recovery of stolen funds.

But maybe they've resolved that now and are a changed organization? Oh wait, this is the organization that made up a "peace prize" to give to a certain Donald Trump, to make up for the Nobel committee's completely inexplicable refusal to award their Peace Prize to the guy who started a pointless war with Iran that plunged the world into economic chaos. It'd be hilarious, if it weren't so sleazy, sad, and depressing.

Long story short, if FIFA offered you a cybersecurity job tomorrow, you should do a lot of due diligence before accepting.

link