{"slug": "i-could-ve-rickrolled-the-fifa-world-cup-all-i-needed-was-my-id", "title": "I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID", "summary": "A security researcher discovered that registering as a football agent on FIFA's public portal granted access to the production streaming management panel for the 2026 World Cup, including live camera feeds and stream controls, due to client-side access controls that were not enforced on backend APIs. The researcher could view and potentially disrupt live match streams, and reported the issue to FIFA, MediaKind, CISA, and the FBI.", "body_md": "*They fixed it without ever responding to me. I had to call FIFA, MediaKind, HBS, CISA, and the FBI at 3am Tokyo time just to get someone to listen. This is that story.*\n\n## It Started With a Football Agent Registration\n\nSo FIFA has this thing called the [FIFA Agent Platform](https://agents.fifa.org). It's a public portal where you can register to become a licensed football agent. You submit your ID, verify your email, and you're in. Simple enough.\n\nWhat I didn't expect was what happened next.\n\nWhen you register on agents.fifa.org, FIFA adds your account to their Microsoft Entra tenant (formerly Azure AD). That's the same tenant that powers **all** of FIFA's internal platforms. And I mean all of them.\n\nMy first two attempts actually failed because the lighting on my ID photos wasn't good enough:\n\n*\"Registration failed during the last step of checking your identification.\" - apparently FIFA has higher standards for my selfie than my actual security*\n\nBut the third attempt went through. And I received this beautiful email:\n\n*Subject line: \"FIFA - FAP - CONFIRMATION\". Yes, FIFA's Agent Platform is officially called FAP. I cannot make this up. FAP CONFIRMATION. Moving on.*\n\n## The \"Access Denied\" That Wasn't\n\nAfter registration, I tried navigating to `fdp.fifa.org`\n\n- FIFA's Football Data Platform. The app authenticated me through the shared Entra tenant, checked my roles, found I had none, and showed me:\n\n*\"Sorry, you do not have any FIFA Football Data Platform role assigned to your account.\"*\n\nLooks like it works, right? Access denied. Go away. Nothing to see here.\n\nExcept this was all **client-side**. The Angular app checked the JWT for a `NO_ROLES`\n\nmarker and rendered the access-denied page. The backend APIs? They didn't check anything. They just served whatever you asked for.\n\n## Welcome to the Streaming Management Panel\n\nAfter bypassing the client-side guards, I landed on the Streaming Management panel. And my jaw hit the floor.\n\n*Every single FIFA World Cup 2026 match. With streaming controls.*\n\nThis wasn't some dev environment. This wasn't test data. This was the **live production Streaming Management panel** for the FIFA World Cup 2026. Every match. Every camera angle. Every RTMP ingest URL. Every stream key.\n\nLet me expand one of those matches so you can see what I mean:\n\n*Five camera angles per match: PGM, Tactical, Camera1, High Behind Left, High Behind Right*\n\nEach match had five camera feeds, each with:\n\n- An\n**RTMP ingest URL**(where the camera sends video TO) - A\n**preview manifest**(where you can WATCH the feed) - An\n**output URL**(the HLS manifest that goes to broadcast partners)\n\nThe RTMP ingest URLs looked like this:\n\n```\nrtmp://in-6c81fc99-513f-4c76-82c2-877e0b93f2ea.westeurope.streaming.mediakind.com:1935/96886a14-9987-420f-814c-2f7cec5408ae\n```\n\nThat UUID at the end? `96886a14-9987-420f-814c-2f7cec5408ae`\n\n. That's the **stream key** (not a real one). It's shared across all five camera angles for the same match. One key to rule them all.\n\nThe streaming infrastructure is hosted on [MediaKind](https://mediakind.com), FIFA's streaming technology partner. These are production endpoints. The same ones receiving live camera feeds from stadiums across the US, Mexico, and Canada.\n\n## I Opened VLC. It Was Live.\n\nI had to confirm the preview manifests actually worked. So I copied one into VLC.\n\n*That's a live tactical camera feed from an active FIFA World Cup 2026 match. Playing in VLC. On my PC. In Tokyo.*\n\nI closed it immediately. But the damage was done (to my brain). Those preview URLs serve live video. During active matches. To anyone with the URL.\n\n## I Could Have Stopped the Streams\n\nIt wasn't just read access. The Streaming Management panel had full controls. Start, stop, schedule. For every match. Every camera angle.\n\n*One click. That's all it would take to kill a live World Cup camera feed.*\n\nI did not touch any of these controls. But they were there. Functional. Waiting for anyone with a NO_ROLES account to press them.\n\n## The Nuclear Option\n\nLet me spell out what this means.\n\nThose RTMP ingest URLs are the literal pipe from the stadium cameras to FIFA's broadcast distribution chain. Camera -> RTMP ingest -> MediaKind -> broadcast partners -> your TV.\n\nIf an attacker pushed video to one of those RTMP endpoints with the stream key (which is RIGHT THERE in the URL), they would **replace the camera feed**. The PGM (Program) feed is the main broadcast output. Replace that, and every TV network receiving the FIFA feed shows whatever you pushed.\n\nThe stream key is shared across all five camera angles per match. A single attacker could hijack every camera simultaneously.\n\nAn attacker could have rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match.\n\nI did not test this. I did not push anything to any RTMP endpoint. But the infrastructure was wide open.\n\n## But Wait, There's More\n\nThe Streaming Management panel wasn't the only thing exposed. My NO_ROLES account had access to the entire platform.\n\n*Competitions, Matches, Teams, Tools, Exchange Platform, Analysis Dashboard, Commentator Information System, FIFA AI Pro, Admin. All accessible.*\n\nThe platform also had a full live match dashboard with an embedded video player, real-time event timeline, and match officials data:\n\n*Côte d'Ivoire vs Ecuador, live. Embedded video feed, yellow card timeline, match officials. The \"LIVE\" badge isn't decorative.*\n\n### Advanced Analytics (Live Match)\n\n*Live possession control, attempt creation breakdowns, ball recovery timing, distance covered, and FIFA AI Pro integration*\n\n### Match Management (Write Access)\n\nHere's where it gets worse. The Management tab on fdp.fifa.org has write operations. And the backend accepts them from a NO_ROLES account.\n\n*\"Update Live Stats\" with a rich text editor, match time, match score fields, and an \"Edit and Publish\" button*\n\n*Attendance, Possession, Post Match Statistics, Team Registration Statistics, Analysis Finished, Score and Statistics, Adjust Kick-off Moment, Performance Data, Send Tactical Lineup, Event Ingress Details*\n\nAn attacker could:\n\n- Modify editorial commentary notes and publish them to broadcast systems\n- Adjust the official kick-off moment\n- Send tactical lineup data\n- Change scores and match statistics\n\nThis data feeds into the Commentator Information System and gets displayed on live television.\n\n## The Commentator Information System\n\n`cis.fifa.org`\n\nwas also accessible with the NO_ROLES account. This is the real-time dashboard that broadcast commentators use during live matches.\n\n*The FIFA World Cup 2026 dashboard. Live scores, upcoming matches, results.*\n\n*Côte d'Ivoire vs Ecuador, 75th minute. Full tactical view with player positions, formations, live stats, substitution timeline, and squad data.*\n\nWhen a commentator says \"fun fact, Enner Valencia at 36 years and 222 days is the oldest outfield player to make a FIFA World Cup appearance for Ecuador\" - this is where that comes from. My account could see every editorial note, every pre-match stats kit, every talking point prepared for every match.\n\n## The Exposed Dev Environment\n\nAs a bonus, I also found an Azure Function App at `xxxxxxxxx-spreadsheets-api.azurewebsites.net`\n\nthat returned metadata and direct Azure Blob Storage download URLs for 23 internal FIFA files.\n\n```\n{\n    \"Size\": 10,\n    \"Skip\": 0,\n    \"Total\": 23,\n    \"Items\": [\n        {\n            \"Name\": \"00_TransferCount_in_ENGLISH.xlsx\",\n            \"BlobPath\": \"https://xxxxxxxxx.blob.core.windows.net/spreadsheet-storage/00_TransferCount_in_ENGLISH.xlsx\"\n        },\n        {\n            \"Name\": \"0_pending_transfers_example.xlsx\",\n            \"BlobPath\": \"https://xxxxxxxxx.blob.core.windows.net/...\"\n        },\n        {\n            \"Name\": \"Debbie.xlsx\",\n            \"BlobPath\": \"https://xxxxxxxxx.blob.core.windows.net/...\"\n        }\n    ]\n}\n```\n\nTransfer reports, revenue comparisons, board-level representation data, referee and coach statistics. And whatever Debbie.xlsx is. All accessible with zero role checks.\n\n## The Absolute Nightmare of Reporting This\n\nOK so I found all of this while the World Cup was underway. Matches are happening. The RTMP URLs are active. Stream keys are exposed. And FIFA has no bug bounty program, no security.txt, and no published security contact.\n\nWhat followed was the most stressful night of my life.\n\n### Attempt 1: Email\n\nI fired off the full disclosure to every FIFA email I could find or guess:\n\n, [[email protected]](/cdn-cgi/l/email-protection)\n\n, [[email protected]](/cdn-cgi/l/email-protection)\n\n, [[email protected]](/cdn-cgi/l/email-protection)\n\n, and some employee emails.[[email protected]](/cdn-cgi/l/email-protection)\n\nFive of them bounced. The rest went into the void. No response.\n\n### Attempt 2: WhatsApp\n\nI found Sebastian Runge (Head of Football Technology & Data at FIFA, 14 years at the org) on LinkedIn. His phone number was listed. I WhatsApped him. No response.\n\n### Attempt 3: FIFA HQ Phone\n\nCalled `+41 43 222 7777`\n\n. Closed. It was Sunday evening in Zurich.\n\n### Attempt 4: The FIFA Media Line\n\nCalled `+41 43 222 7272`\n\n. Also closed.\n\n### Attempt 5: The Dallas Convention Center\n\nThe IBC (International Broadcast Centre) is at the Kay Bailey Hutchison Convention Center in Dallas. I called `+1 (214) 939-2700`\n\n. Got voicemail. Left a message.\n\n### Attempt 6: MediaKind\n\nThis was the breakthrough. I called MediaKind's toll-free line `+1 833 211 8472`\n\n. Someone picked up. They understood the issue immediately. They asked me to email the details with the stream keys as proof. I did.\n\n### Attempt 7: HBS (Host Broadcast Services)\n\nCalled `+41 41 726 0090`\n\n. They said they didn't have anyone who could help and hung up. Called back. No answer.\n\n### Attempt 8: Infront Sports & Media\n\nCalled `+41 41 723 15 15`\n\n(HBS's parent company). No answer.\n\n### Attempt 9: CISA\n\nHere's where things got interesting. I discovered that CISA (Cybersecurity and Infrastructure Security Agency) is the **federal lead on cybersecurity for the FIFA World Cup 2026**, including broadcast systems. I called their 24/7 operations center at `+1 888 282 0870`\n\n.\n\nThey picked up. They listened. They asked me to email the details. I did.\n\n### Attempt 10: The FBI\n\nI have existing contacts at the FBI from previous cybersecurity work. I messaged them on Signal. They responded, said they had contacts and needed to package it the right way.\n\n### The Timeline\n\n| When | What |\n|---|---|\n| Night | Found the Streaming Management panel. Jaw hits floor. |\n| Night | Opened preview manifest in VLC. Confirmed live. Closed immediately. |\n| Night | Sent disclosure email to 10+ FIFA addresses. 5 bounced. |\n| Night | WhatsApped Sebastian Runge. |\n| Night | Called FIFA Zurich. Closed. Called FIFA Media line. Closed. |\n| Night | Called Dallas Convention Center. Voicemail. |\n| Night | Called MediaKind. Someone answered. Sent full report with stream keys. |\n| Night | Called HBS. They hung up. Called back. No answer. |\n| Night | Called CISA 24/7 line. They listened. Sent report. |\n| Night | Messaged FBI contacts on Signal. They responded. |\n| Next day | Vulnerability fixed. No response from FIFA. |\n\n## The Root Cause\n\nThe whole thing boils down to one architectural mistake: **client-side authorization with no server-side enforcement**.\n\nFIFA's internal applications use Microsoft Entra for authentication and role-based access control. The Angular/React/Vue frontends check the JWT token for role claims and render access-denied pages accordingly. But the backend APIs trust any authenticated tenant member and serve data regardless of roles.\n\nThe attack chain:\n\n- Register on agents.fifa.org (public)\n- Get added to FIFA's Entra tenant\n- Authenticate against any FIFA internal app\n- Client says \"access denied\"\n- Server says \"here's everything\"\n\nThis pattern affected at least:\n\n**fdp.fifa.org**(Football Data Platform)** cis.fifa.org**(Commentator Information System)** xxxxxxxxx-spreadsheets-api.azurewebsites.net**(dev environment)\n\nAnd potentially others using the same tenant.\n\n## The Fix\n\nSometime between my reports and the next morning, the vulnerability was patched. My NO_ROLES account returns 403 responses from the server, not just the client.\n\nFIFA never responded. Not to acknowledge the report. Not to say thank you. Not to discuss compensation. Nothing.\n\nBut they did leave me on the FDP email distribution list. I'm still receiving official FIFA World Cup 2026 match documents: Start Lists, Tactical Lineups, Full Time Match Reports. All sent from\n\n. In four languages.[[email protected]](/cdn-cgi/l/email-protection)\n\n## To FIFA\n\nYou fixed it fast. Credit where it's due. But:\n\n- Get a security.txt file. Seriously. It's 2026.\n- Publish a VDP (Vulnerability Disclosure Policy). You're running the biggest sporting event on earth.\n- Client-side authorization is not authorization. Every intern learns this.\n- When a researcher has to call CISA and the FBI to reach you, something is wrong.\n- Hire me (just kidding... unless?)\n\nSo long and thanks for all the Fish :3\n\n*Still think about those RTMP stream keys sometimes. Somewhere in a parallel universe, billions of people are watching Subway Surfers gameplay during the World Cup final. All it took was an ID.*", "url": "https://wpnews.pro/news/i-could-ve-rickrolled-the-fifa-world-cup-all-i-needed-was-my-id", "canonical_source": "https://bobdahacker.com/blog/fifa-hack", "published_at": "2026-06-16 05:23:42+00:00", "updated_at": "2026-06-16 05:48:46.018651+00:00", "lang": "en", "topics": ["ai-safety"], "entities": ["FIFA", "MediaKind", "CISA", "FBI", "Microsoft Entra", "VLC", "World Cup 2026"], "alternates": {"html": "https://wpnews.pro/news/i-could-ve-rickrolled-the-fifa-world-cup-all-i-needed-was-my-id", "markdown": "https://wpnews.pro/news/i-could-ve-rickrolled-the-fifa-world-cup-all-i-needed-was-my-id.md", "text": "https://wpnews.pro/news/i-could-ve-rickrolled-the-fifa-world-cup-all-i-needed-was-my-id.txt", "jsonld": "https://wpnews.pro/news/i-could-ve-rickrolled-the-fifa-world-cup-all-i-needed-was-my-id.jsonld"}}