[srmarm]

Clearly a big f-up by FIFA on what looks like quite a tidy platform otherwise.

One question though, how do you know your feed would kick off the 'real' feed if you pushed to RTMP, does it just take the most recent connection as live? Does the protocol have a mechanism for dealing with multiple people pushing to the same endpoint? There maybe more checking on that endpoint and if course I'm sure most live broadcasters would have a live director to cut any feeds at their end if a dodgy feed popped up too.

A huge vulnerability nonetheless and a great write up!

[BobDaHacker]

Good question! So RTMP doesn't really have a clean way to handle two publishers on the same stream key. What would actually happen is the two streams fighting for the ingest endpoint, so the output would glitch between the two sources. Like if I pushed Subway Surfers gameplay it'd be flickering between the actual match and Subway Surfers with the audio cutting back and forth. You're right that a live director would catch it pretty fast but even a few seconds of that on air during a World Cup match is not great.

[aembleton]

How do you know that you can even write to any of those fields? You didn't try it, so maybe there is a JWT role check in the backend on POST and PUT.

[BobDaHacker]

That's a different thing. RTMP ingest endpoints aren't behind the same API layer, they're just open media endpoints that accept a connection if you have the stream key. The stream key was right there in the URL. There's no JWT involved in pushing video to an RTMP ingest, it's just connect and publish.