Bug in FIFA World Cup internal system gave anyone ability to modify TV stream

国际足联世界杯内部系统漏洞导致任何人都能修改电视转播画面

A security researcher said she was able to access several internal FIFA platforms due to a simple security flaw, which allowed her to watch and have full control of the TV stream of every World Cup game. 一位安全研究人员表示，由于一个简单的安全漏洞，她能够访问多个国际足联（FIFA）的内部平台，这使她能够观看并完全控制每一场世界杯比赛的电视转播画面。

The researcher, who goes by BobDaHacker, said she simply registered as a player agent on FIFA’s official agent registration platform. Then, thanks to having that account and a flaw in FIFA’s back-end API, which didn’t check if a user actually had the proper authorization, she was able to access several internal FIFA platforms. 这位化名为“BobDaHacker”的研究人员称，她只是在国际足联的官方经纪人注册平台上注册了一个球员经纪人账号。随后，凭借该账号以及国际足联后端 API 存在的一个漏洞——该漏洞未能验证用户是否具备相应的授权——她成功访问了多个国际足联内部平台。

This included the system that allows broadcasters to control what gets displayed on people’s TVs across the world, and what gets displayed on commentators’ screens as they narrate the match, per the researcher. 据该研究人员透露，这些平台中包括允许广播公司控制全球观众电视画面显示内容的系统，以及解说员在进行比赛解说时屏幕上所显示内容的控制系统。

“A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup,” BobDaHacker wrote in a blog post published on Tuesday. “单一攻击者可以同时劫持所有摄像机。攻击者甚至可以在整个世界杯期间播放恶搞视频（Rickroll），”BobDaHacker 在周二发布的一篇博文中写道。

BobDaHacker reported the flaw on Tuesday night Japan time, and FIFA fixed the issue a few hours later, without ever acknowledging the researcher’s report. FIFA did not immediately respond to TechCrunch’s request for comment. BobDaHacker 于日本时间周二晚间报告了该漏洞，国际足联在几小时后修复了问题，但并未对该研究人员的报告做出任何回应。国际足联未立即回复 TechCrunch 的置评请求。