I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID
6 hours ago
- #FIFA
- #vulnerability
- #cybersecurity
- A security researcher discovered critical vulnerabilities in FIFA's internal systems after registering as an agent on the FIFA Agent Platform (FAP).
- Upon registration, the researcher gained access to FIFA's Microsoft Entra tenant, which is shared across all FIFA platforms, despite having no assigned roles.
- The researcher bypassed client-side authorization checks and accessed the live Streaming Management panel for FIFA World Cup 2026 matches, exposing RTMP ingest URLs and stream keys.
- These exposed RTMP endpoints allowed potential hijacking of live camera feeds, which could have disrupted global broadcasts during matches.
- Other accessible systems included the Football Data Platform (FDP), Commentator Information System (CIS), and an exposed Azure Function App with internal documents.
- The researcher attempted to report the vulnerabilities through multiple channels but received no response from FIFA, eventually contacting MediaKind, CISA, and the FBI.
- The vulnerabilities were fixed the next day without acknowledgment from FIFA, highlighting a lack of proper security policies and a reliance on client-side authorization.