Register a football agent account on agents.fifa.org and you get dropped into the same Microsoft Entra tenant that powers every internal FIFA platform. BobDaHacker did exactly that and found himself staring at the live production Streaming Management panel for the entire 2026 World Cup. No phish, no exploit, no zero-day. Just an ID photo that passed FIFA's "high standards for my selfie."
Client-Side Guards, No Backend Teeth
The Angular app at fdp.fifa.org checked the JWT for a NO_ROLES marker and rendered an "Access Denied" page. Classic client-side authorization that the backend never enforced. BobDaHacker bypassed the frontend and the APIs happily served up whatever he asked for. The Streaming Management panel appeared with every match, camera angle, RTMP ingest URL, and stream key.
Each match had five camera feeds: PGM (main broadcast), Tactical, Camera1, High Behind Left, High Behind Right. Each feed had an RTMP ingest URL, a preview manifest, and an output HLS manifest for broadcast partners. The stream key was a UUID shared across all five angles for the same match.
Live Video, No Auth Required
BobDaHacker copied a preview manifest into VLC and saw a live tactical camera feed from an active World Cup 2026 match. He closed it immediately. Those preview URLs serve live video to anyone who has them. The backend never asked who you were.
But it gets worse. The panel had full controls: start, stop, schedule for every match and every camera angle. One click could kill a live feed. And because the RTMP ingest URLs are the literal pipe from stadium cameras to MediaKind's streaming infrastructure, an attacker could push arbitrary video to those endpoints using the stream key embedded in the URL. Replace the PGM feed and every TV network receiving the FIFA feed would show your content. Rickroll the World Cup. Subway Surfers. Whatever.
Beyond Streaming: Write Access to Match Management
The same NO_ROLES account had access to the entire fdp.fifa.org platform: Competitions, Matches, Teams, Tools, Exchange Platform, Analysis Dashboard, Commentator Information System, FIFA AI Pro, Admin. The Management tab had write operations that the backend accepted without checking roles. Fields like "Update Live Stats" with a rich text editor, match time, score. The platform had a live match dashboard with embedded video, real-time event timeline, and match officials data.
BobDaHacker called FIFA, MediaKind, HBS, CISA, and the FBI at 3am Tokyo time just to get someone to listen. They fixed it without ever responding to him. The fix closed the door, but the lesson is clear: if your SSO tenant leaks guest accounts into production, client-side role checks are theater. The backend must enforce authorization, every time.
Source: I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID
Domain: bobdahacker.com
Comments load interactively on the live page.