I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID

查看原文 / View Original 编辑 / Edit

I Could’ve Rickrolled the Entire FIFA World Cup. All I Needed Was My ID

我本可以向全世界直播“瑞克摇”,而我只需要一张身份证

They fixed it without ever responding to me. I had to call FIFA, MediaKind, HBS, CISA, and the FBI at 3am Tokyo time just to get someone to listen. This is that story. 他们修复了漏洞,却从未回复过我。我不得不顶着东京凌晨3点的时间,致电国际足联(FIFA)、MediaKind、HBS、CISA(美国网络安全与基础设施安全局)和FBI,才终于有人愿意听我说明情况。这就是事情的经过。

It Started With a Football Agent Registration

一切始于一次足球经纪人注册

So FIFA has this thing called the FIFA Agent Platform. It’s a public portal where you can register to become a licensed football agent. You submit your ID, verify your email, and you’re in. Simple enough. What I didn’t expect was what happened next. 国际足联有一个名为“FIFA经纪人平台”(FIFA Agent Platform)的东西。这是一个公共门户网站,你可以在上面注册成为持牌足球经纪人。提交身份证件,验证邮箱,然后就注册成功了。过程很简单。但我没想到接下来会发生什么。

When you register on agents.fifa.org, FIFA adds your account to their Microsoft Entra tenant (formerly Azure AD). That’s the same tenant that powers all of FIFA’s internal platforms. And I mean all of them. 当你通过 agents.fifa.org 注册时,国际足联会将你的账户添加到他们的 Microsoft Entra 租户(前身为 Azure AD)中。这正是支撑国际足联所有内部平台的同一个租户。我是说,所有的平台。

My first two attempts actually failed because the lighting on my ID photos wasn’t good enough: “Registration failed during the last step of checking your identification.” - apparently FIFA has higher standards for my selfie than my actual security. 我前两次尝试都失败了,因为身份证照片的光线不够好:“身份验证最后一步注册失败。”——显然,国际足联对我自拍的要求比对我账户安全的要求还要高。

But the third attempt went through. And I received this beautiful email: Subject line: “FIFA - FAP - CONFIRMATION”. Yes, FIFA’s Agent Platform is officially called FAP. I cannot make this up. FAP CONFIRMATION. Moving on. 但第三次尝试成功了。我收到了一封美妙的邮件,主题是:“FIFA - FAP - CONFIRMATION”。没错,国际足联的经纪人平台官方缩写确实叫 FAP。我没编造,真的是 FAP 确认函。我们继续。

The “Access Denied” That Wasn’t

虚假的“拒绝访问”

After registration, I tried navigating to fdp.fifa.org - FIFA’s Football Data Platform. The app authenticated me through the shared Entra tenant, checked my roles, found I had none, and showed me: “Sorry, you do not have any FIFA Football Data Platform role assigned to your account.” 注册后,我尝试访问 fdp.fifa.org——即国际足联的足球数据平台。该应用程序通过共享的 Entra 租户对我进行了身份验证,检查了我的角色,发现我没有任何权限,于是显示:“抱歉,您的账户未被分配任何 FIFA 足球数据平台角色。”

Looks like it works, right? Access denied. Go away. Nothing to see here. Except this was all client-side. The Angular app checked the JWT for a NO_ROLES marker and rendered the access-denied page. The backend APIs? They didn’t check anything. They just served whatever you asked for. 看起来运行正常,对吧?拒绝访问。请离开。这里没什么可看的。但问题在于,这仅仅是在客户端进行的限制。Angular 应用检查了 JWT 中的 NO_ROLES 标记并渲染了拒绝访问页面。而后端 API 呢?它们什么都没检查,只是直接响应了你的所有请求。

Welcome to the Streaming Management Panel

欢迎来到流媒体管理面板

After bypassing the client-side guards, I landed on the Streaming Management panel. And my jaw hit the floor. Every single FIFA World Cup 2026 match. With streaming controls. This wasn’t some dev environment. This wasn’t test data. This was the live production Streaming Management panel for the FIFA World Cup 2026. Every match. Every camera angle. Every RTMP ingest URL. Every stream key. 绕过客户端的防护后,我进入了流媒体管理面板。我惊得目瞪口呆。2026年世界杯的每一场比赛都在这里,并且配有流媒体控制功能。这不是什么开发环境,也不是测试数据,这是2026年世界杯实时生产环境的流媒体管理面板。每一场比赛,每一个摄像机角度,每一个 RTMP 摄入地址,每一个流密钥,应有尽有。

Let me expand one of those matches so you can see what I mean: Five camera angles per match: PGM, Tactical, Camera1, High Behind Left, High Behind Right. Each match had five camera feeds, each with: An RTMP ingest URL (where the camera sends video TO), a preview manifest (where you can WATCH the feed), an output URL (the HLS manifest that goes to broadcast partners). 让我展开其中一场比赛,让你看看我的意思:每场比赛有五个摄像机角度:PGM(节目信号)、战术视角、摄像机1、高位后方左侧、高位后方右侧。每场比赛有五个视频流,每个流都包含:一个 RTMP 摄入地址(摄像机向此处发送视频)、一个预览清单(你可以观看视频流)、一个输出地址(发送给广播合作伙伴的 HLS 清单)。

The RTMP ingest URLs looked like this: rtmp://in-6c81fc99-513f-4c76-82c2-877e0b93f2ea.westeurope.streaming.mediakind.com:1935/96886a14-9987-420f-814c-2f7cec5408ae. That UUID at the end? 96886a14-9987-420f-814c-2f7cec5408ae. That’s the stream key (not a real one). It’s shared across all five camera angles for the same match. One key to rule them all. RTMP 摄入地址看起来是这样的:rtmp://in-6c81fc99-513f-4c76-82c2-877e0b93f2ea.westeurope.streaming.mediakind.com:1935/96886a14-9987-420f-814c-2f7cec5408ae。末尾的那个 UUID?96886a14-9987-420f-814c-2f7cec5408ae。那就是流密钥(这不是真实的密钥)。同一场比赛的所有五个摄像机角度共享同一个密钥。一个密钥统治一切。

The streaming infrastructure is hosted on MediaKind, FIFA’s streaming technology partner. These are production endpoints. The same ones receiving live camera feeds from stadiums across the US, Mexico, and Canada. 流媒体基础设施托管在国际足联的流媒体技术合作伙伴 MediaKind 上。这些都是生产环境的端点,正是这些端点接收着来自美国、墨西哥和加拿大各地体育场的实时摄像机信号。

I Opened VLC. It Was Live.

我打开了 VLC。它是直播信号。

I had to confirm the preview manifests actually worked. So I copied one into VLC. That’s a live tactical camera feed from an active FIFA World Cup 2026 match. Playing in VLC. On my PC. In Tokyo. I closed it immediately. But the damage was done (to my brain). Those preview URLs serve live video. During active matches. To anyone with the URL. 我必须确认预览清单是否真的有效。于是我复制了一个地址到 VLC 中。那是一个正在进行的2026年世界杯比赛的实时战术摄像机画面。在我的电脑上播放。在东京。我立刻关掉了它。但伤害已经造成(对我的大脑而言)。这些预览地址在比赛期间会向任何拥有该地址的人提供实时视频。

I Could Have Stopped the Streams

我本可以切断直播

It wasn’t just read access. The Streaming Management panel had full controls. Start, stop, schedule. For every match. Every camera angle. One click. That’s all it would take to kill a live World Cup camera feed. I did not touch any of these controls. But they were there. Functional. Waiting for anyone with a NO_ROLES account to press them. 这不仅仅是读取权限。流媒体管理面板拥有完全的控制权。开始、停止、定时。针对每一场比赛,每一个摄像机角度。只需点击一下,就能切断世界杯的实时摄像机信号。我没有触碰任何这些控件。但它们就在那里,功能完好,等待着任何拥有 NO_ROLES 账户的人去按下它们。

The Nuclear Option

核选项

Let me spell out what this means. Those RTMP ingest URLs are the literal pipe from the stadium cameras to FIFA’s broadcast distribution chain. Camera -> RTMP ingest -> MediaKind -> broadcast partners -> your TV. If an attacker pushed video to one of those RTMP endpoints with the stream key (which is RIGHT THERE in the URL), they would replace the camera feed. 让我明确一下这意味着什么。那些 RTMP 摄入地址是从体育场摄像机到国际足联广播分发链的实际管道。摄像机 -> RTMP 摄入 -> MediaKind -> 广播合作伙伴 -> 你的电视。如果攻击者使用流密钥(就在 URL 里)将视频推送到其中一个 RTMP 端点,他们就会替换掉摄像机画面。

The PGM (Program) feed is the main broadcast output. Replace that, and every TV network receiving the FIFA feed shows whatever you pushed. The stream key is shared across all five camera angles per match. A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match. I did not test this. I did not push anything to any RTMP endpoint. But the infrastructure was wide open. PGM(节目)信号是主要的广播输出。替换掉它,那么所有接收国际足联信号的电视台都会播放你推送的内容。每场比赛的五个摄像机角度共享同一个流密钥。单个攻击者可以同时劫持所有摄像机。攻击者本可以向整个世界杯直播“瑞克摇”,或者播放《地铁跑酷》的游戏画面。在比赛进行时,向全球所有电视台直播。我没有测试这一点,也没有向任何 RTMP 端点推送任何内容。但基础设施确实是完全敞开的。

But Wait, There’s More

还没完,还有更多

The Streaming Management panel wasn’t the only thing exposed. My NO_ROLES account had access to the entire platform. Competitions, Matches, Teams, Tools, Exchange Platform, Analysis Dashboard, Commentator Information System, FIFA AI Pro, Admin. All accessible. 流媒体管理面板并不是唯一暴露的东西。我的 NO_ROLES 账户可以访问整个平台。赛事、比赛、球队、工具、交换平台、分析仪表板、解说员信息系统、FIFA AI Pro、管理后台。全部都可以访问。

The platform also had a full live match dashboard with an embedded video player, real-time event timeline, and match officials data: Côte d’Ivoire vs Ecuador, live. Embedded video feed, yellow card timeline, match officials. The “LIVE” badge isn’t decorative. 该平台还有一个完整的实时比赛仪表板,带有嵌入式视频播放器、实时事件时间轴和比赛官员数据:科特迪瓦对阵厄瓜多尔,直播中。嵌入式视频流、黄牌时间轴、比赛官员。“LIVE”标志可不是装饰品。

Advanced Analytics (Live Match): Live possession control, attempt creation breakdowns, ball recovery timing, distance covered, and FIFA AI Pro integration. 高级分析(实时比赛):实时控球率、射门机会分解、球权恢复时间、跑动距离以及 FIFA AI Pro 集成。

Match Management (Write Access): Here’s where it gets worse. The Management tab on fdp.fifa.org has write operations. And the backend accepts them from a NO_ROLES account. “Update Live Stats” with a rich text editor, match time, match score fields, and an “Edit and Publish” button. Attendance, Possession, Post Match Statistics, Team Registration Statistics, Analysis Finished, Score and Statistics, Adjust Kick-off Moment, Performance Data, Send Tactical Lineup, Event Ingress Details. An attacker could: Modify editorial commentary notes and pub… 比赛管理(写入权限):更糟糕的情况在这里。fdp.fifa.org 上的“管理”选项卡具有写入操作,而后端竟然接受来自 NO_ROLES 账户的这些操作。“更新实时统计数据”包含富文本编辑器、比赛时间、比分字段以及“编辑并发布”按钮。包括上座率、控球率、赛后统计、球队注册统计、分析完成情况、比分与统计、调整开球时间、表现数据、发送战术阵容、赛事入场详情。攻击者可以:修改编辑评论备注并发布……

← 返回新闻列表 / Back to news list