I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID

Posted by BobDaHacker 1 day ago

Counter273Comment95OpenOriginal

Comments

Comment by albertgoeswoof 1 day ago

Please stop using AI to write for you, it ruins what is otherwise a fascinating story, and on reflection I struggle to trust it.

If you used AI to generate the blog post, did you use AI to generate the screenshots and story?

Comment by alexhans 1 day ago

Agreed. The post looks great. The story is great but the AI style in this case does distract.

I'm not against using AI for writing at all but you want to be careful that the output doesn't contain too much of this noise over signal type of wording that repeats and wants to just sell you something.

Comment by robeym 21 hours ago

Unfortunate to see AI police as top comment on a good amusing post!

Comment by V__ 1 day ago

I am curious, what exactly triggers your AI senses in this post?

Comment by mdrzn 1 day ago

"This wasn't some dev environment. This wasn't test data."

It's not X, it's Y. And repetitions of three.

Comment by Abimelex 1 day ago

Thats a literary style called anaphora. Some people learned this in school, so they can use it to emphasize something. IMHO this is not a strong sign of AI, in fact I think this text has no strong AI indicators.

Comment by tanseydavid 1 day ago

Thank you for speaking up -- I feel the same way.

Comment by sahildeepreel 22 hours ago

Agree, i don't think it was ai written, or atleast written very well with AI.

I am usually able to pick up ai writing quickly but didnt feel it in this case

Comment by joquarky 14 hours ago

Same, and I'm growing tired of the witch hunt comments derailing the topic.

For example, why is this thread the top thread in this post?

Comment by watwut 1 day ago

Something having name is not a sign of not-ai. It when it is in places for no reason other then blow up the text length. As if school kid was trying to make the text longer to fit the minimal amount of words.

Comment by a10c 1 day ago

You're right to call that out

Comment by dgellow 1 day ago

Also, “ What I didn't expect was what happened next.”

The Unicode arrows is also something Claude is using really often: “Camera -> RTMP ingest -> MediaKind -> broadcast partners -> your TV.”

And the table at the end is such a Claude thing.

The general style, a series of short sentences that feel like they are building up a punchline is what tells me it’s Claude, but the whole thing does stink of LLM generation

Comment by luxcem 1 day ago

The table don't even add information, all but one cell share the same value for "When".

Comment by drra 1 day ago

I found myself writing exactly like this for a while after reading pages and pages of this special construct before my bs detector understood what it is...

Comment by bcraven 1 day ago

Gemini loves talking about "The Nuclear Option" too

Comment by BrandoElFollito 1 day ago

Ah la la, this is something I actually write sometimes. And em-dashes.

This hunt for AI is sometimes counterproductive

Comment by Aperocky 1 day ago

It's honestly unbelievable how people continue to paste stuff like this. Do they not know that credibility is lost instantly?

Comment by joquarky 14 hours ago

I love how in one post everyone piles on someone for using the word "retarded", meanwhile in another post someone with autism gets piled on for using AI for accessibility.

Comment by chadgpt3 1 day ago

[dead]

Comment by srdjanr 1 day ago

I don't mind it here at all, in fact I didn't even notice it's AI before reading this comment. It's clearly not a one-shot AI slop but a well thought out and edited by a human post.

Not everyone who has something interesting to say is a good writer, and I think it's great if AI can help them tell their stories.

Comment by sevenzero 1 day ago

I remember a frontpage post from like 2 days ago:

"If you want human attention show human effort" or something in that direction. I think this fits here just right.

Comment by gbalduzzi 1 day ago

I think in this case the human effort was put into the actual discovery, honestly I don't mind if AI helped him write the blog post if the result is enjoyable and not sloppy

Comment by BobDaHacker 1 day ago

Yeah I used Claude as a writing assistant for the initial draft. I'm autistic and long-form writing isn't my strong suit, getting a 4000 word blog post to flow well is genuinely hard for me. But I do edit it pretty heavily after, the voice and the jokes and the structure are mine, the AI just helps me get a baseline down so I'm not staring at a blank page. The research, the screenshots, the disclosure, that's all me. I've been doing this stuff for years.

Comment by tlogan 1 day ago

My opinion is that this is a great story.

But the haters are going to hate.

If you had not used AI to fix your post, I bet the top post will be complaining about your grammar.

Some people will always find something negative. Simple as that.

Comment by Aperocky 1 day ago

While I appreciate the positivity, but I've honestly grown to appreciate grammar mistakes. Just like it's not X, it's Y indicated AI, those indicated that the effort behind was human.

Honestly, no need to write 4000 words if the story can be told in 400. The story is what matters, not word count or "flow".

Comment by alexhans 1 day ago

I think the criticism is constructive. It's really not about hating. I'd wager many of the people who convey this criticism do use AI to aid their writing as well.

It's just that this one in particular lacks one more edit pass removing some of the AI noise on branding-speak and needless repetition (AI tends to list things and beat the point).

Comment by gspr 1 day ago

> If you had not used AI to fix your post, I bet the top post will be complaining about your grammar.

I'm positive that a post complaining about the grammar would've been (rightfully) downvoted to oblivion on this site.

Comment by maciekkmrk 1 day ago

I understand that it feels helpful but the post ends up repeating the same insight over and over. Reads very sloppy, while you wanted the opposite.

Comment by grayhatter 14 hours ago

> I'm autistic and long-form writing isn't my strong suit, getting a 4000 word blog post to flow well is genuinely hard for me.

I find the way I interact with the world is exceptionally different from the descriptions of everybody else. Some of the symptoms of such manifest as difficulty communicating... with most people.

There are a subset of people who I have not only no problem, but seemingly a drastically increased information exchange rate.

Do with that observation what you will, but I don't write for the lowest common denominator, the preferred style of AI, because I don't write for the people who cant be bothered to understand me. I'm writing for people like me.

n.b. Maybe you are writing for the lowest common denominator. In which case, say that: "Yeah I know it sounds like AI but it's supposed to be advertising, not a technical white paper or PoC"

> the AI just helps me get a baseline down so I'm not staring at a blank page.

If this was true, the top comment wouldn't be a complaint about how the voice of the article sounds "inauthenticlly human" or like an LLM. It's having a stronger influence on your writing than you're giving it credit for. It's on you to decide if or how much you care, but ideally you wouldn't be lying to either yourself or your readers.

Comment by robeym 21 hours ago

Great post. It was an amusing read, and quite the discovery! Good work, and great job documenting it.

Comment by smsm42 1 day ago

Understandable, but open disclosure would help. You of all people must know how hard it is to hide things from being discovered, and this is something that will be discovered without any doubt. Just explain it and most reasonable people will understand. Some won't but at least they will be honestly warned.

Comment by gspr 1 day ago

Don't take my criticism of AI writing as criticism of your work. This is stellar stuff! What I'm trying to say is I'd really like to hear it in your words.

I'm glad to hear the voice is yours, and I apologize for assume it was the AI's.

Comment by bschwindHN 1 day ago

[dead]

Comment by nunez 20 hours ago

I got 100% Human on Pangram, so either they did the work to have their AI service pass this test, or...they actually wrote it.

Comment by pqs 1 day ago

These comments don't help much. AI is here, not everybody can write well, AI is gonna be used.

Comment by SXX 1 day ago

I'd wish we come to a day where people would just post the prompt. Then I can decide what story to generate from it.

Comment by Vinnl 1 day ago

I'm still planning to add a "AI-edited version" toggle to my blog. Not that it would do anything, because people wouldn't click it anyway.

Comment by patates 1 day ago

Look I don't like to see a wall of AI slop as much as the next person (see: https://news.ycombinator.com/item?id=48551462), but "just post the prompt" is also too dismissive. AI had access to information that we don't have and all you see here is probably a compilation of multiple prompts, edits and various sources (like author's notes) for context.

We can adjust our expectations for people to take some time to make the output theirs.

OTOH, and this is me arguing against myself, maybe this is not too different than the million web sites we saw using the unmodified default bootstrap theme.

I guess my opinions as well as the response of the community are still evolving.

Comment by TeMPOraL 1 day ago

- It's called "writing in bullet points"

- Normies frown upon it

Comment by watwut 1 day ago

They don't! Before AI, people complain about long emails and what not. The literally preferred to read short ones.

Comment by llbbdd 1 day ago

The problem is that people who are bad writers have trouble understanding that AI writes worse than they do

Comment by gbalduzzi 1 day ago

you clearly have never read a 1000 word text written by me (/s, but only partially)

Comment by dgellow 1 day ago

Honestly I would prefer to read a long text from a human that is badly written than a LLM version. It’s fine to not write well

Comment by gspr 1 day ago

> AI is here, not everybody can write well, AI is gonna be used.

I don't know about you, but I'd love to read a fascinating story written by a relatively poor writer. But if they can't be bothered to write, I assume the story can't be that good.

Comment by Oranguru 1 day ago

But this isn't a story, literature, or a fancy piece of art; it's merely a technical blog post that discloses a security vulnerability. Here, the writing serves only as a vehicle to convey a message. Once you've received it, its purpose has been fulfilled. I would agree with you if the writing were an important part of the message, but here it is not. Not everybody can write well, and this guy clearly had something to tell, and that is what matters.

Comment by gspr 1 day ago

> But this isn't a story, literature, or a fancy piece of art; it's merely a technical blog post that discloses a security vulnerability. Here, the writing serves only as a vehicle to convey a message. Once you've received it, its purpose has been fulfilled.

I disagree wholeheartedly. I'm not a machine. I'm a thinking, feeling, human being.

As a mathematician, I can certainly appreciate precise formulations. They have their place. But this is not that place.

> Not everybody can write well, and this guy clearly had something to tell, and that is what matters.

I'm sadenned that he wouldn't tell it in his way. I'd much rather read his own (poorly written?) words.

Comment by holman 1 day ago

Really amusing to read this one. I did something similar for Qatar 2022 and got access to roster submission (https://zachholman.com/posts/hacking-fifa). To their credit they patched it pretty quickly, but their promised "token of appreciation" never came. (Although on the other hand, they didn't sue me, so I guess that's a win.)

Comment by tagyro 1 day ago

I'll write a full article in a year or two, but here's the short version: some weeks ago, as I was looking for job offers, I found one that was interesting. As I didn't knew the company, I wanted to do my due diligence and check them out. I open the website and find a ClickFix (the "prove you're not a bot" type) attack on their main page.

I spent over 2 hours and a small (but bigger than 0) amount of my own money to report the issue by emailing and even trying to call them (they didn't have any dedicated responsible disclosure page or contact). After some time, they finally answered my emails, took down the website and "fixed" the issue.

When I finally applied for the role, got ghosted for a week and only after I wrote them again, asking for an update, I got rejected as they allegedly were looking for someone more junior - though the job title was explicitly "Senior XXX Lead".

Some years ago, I went to interview (in person) at a big European financial institution. As I got there around lunchtime, I happened to get to the front door at the same time as some employees were returning from lunch who, very kindly, held the door open for me.

I was in their office around their computers, unsupervised and unaccompanied, for 10-15 minutes, enough time to plant some O.MG USB-C cables.

During the interview, I had a chance to talk to the CTO and told them what happened and how I was allowed access in the office, and immediately saw his face change and quickly change topic, and end the interview.

Unsurprisingly, I didn't get the job - I should have probably kept my mouth shut.

Comment by srmarm 1 day ago

Clearly a big f-up by FIFA on what looks like quite a tidy platform otherwise.

One question though, how do you know your feed would kick off the 'real' feed if you pushed to RTMP, does it just take the most recent connection as live? Does the protocol have a mechanism for dealing with multiple people pushing to the same endpoint? There maybe more checking on that endpoint and if course I'm sure most live broadcasters would have a live director to cut any feeds at their end if a dodgy feed popped up too.

A huge vulnerability nonetheless and a great write up!

Comment by BobDaHacker 1 day ago

Good question! So RTMP doesn't really have a clean way to handle two publishers on the same stream key. What would actually happen is the two streams fighting for the ingest endpoint, so the output would glitch between the two sources. Like if I pushed Subway Surfers gameplay it'd be flickering between the actual match and Subway Surfers with the audio cutting back and forth. You're right that a live director would catch it pretty fast but even a few seconds of that on air during a World Cup match is not great.

Comment by aembleton 1 day ago

How do you know that you can even write to any of those fields? You didn't try it, so maybe there is a JWT role check in the backend on POST and PUT.

Comment by BobDaHacker 1 day ago

That's a different thing. RTMP ingest endpoints aren't behind the same API layer, they're just open media endpoints that accept a connection if you have the stream key. The stream key was right there in the URL. There's no JWT involved in pushing video to an RTMP ingest, it's just connect and publish.

Comment by arecsu 1 day ago

Awesome read! Congratulations on discovering this and reporting. Hope you get something back from FIFA. This could've lead to some huge disaster if it failed under the wrong hands.

Love your writing skills as well!

> I closed it immediately. But the damage was done (to my brain).

Laughed so hard when I read this one :D

Comment by Tepix 1 day ago

It was a cool story, no doubt.

> Love your writing skills as well!

I‘d say it was heavily AI assisted

Comment by jdw64 1 day ago

I don't understand why people obsess over LLM(AI)format. The content is interesting, but they dismiss it just because the format is an issue. All of this content is worth reading and is good. And it's about security.

Comment by ipdashc 1 day ago

It's really annoying. Honestly I'm impressed how quickly one becomes able to smell it after seeing enough of it, I feel like a year or two ago everyone thought LLM bots would be forever indistinguishable from real users (and in fairness, the well-managed ones probably are).

No hate on the author, but LLMs just have such an annoying and overdramatic way of phrasing things. The content is worth reading, I enjoyed it! It would just be even better if it hadn't been turned into such a slog to read through.

Comment by jdw64 1 day ago

I agree. Stylistically, there are parts that really rub me the wrong way as a person

Comment by willdr 1 day ago

The content is rendered unreadable by the LLMs sentence construction. Secondly, it's insulting. If you didn't care enough to write it, why should I care enough to read it?

Comment by dawnerd 1 day ago

Or even believe it. Hard to believe a story if it’s right from an llm.

Comment by jdw64 1 day ago

I saw the this post. Wasn't it a capture of something that actually happened? So it just described a real story. I can doubt the authenticity of all of it whether it's really true or not. but the content itself was interesting enough.

What I don't understand is this: 'Show sincerity'—that is, a human value. If it were AI-generated, stitched-together false content, I'd understand, but I see quite a few interesting points.

Whenever I see things like this, I always think of Sturgeon's law: 90% is bad, and only 10% is interesting. I get that most AI-generated content is AI slop. But even back when only humans could write, there were plenty of clickbait articles.

I agree that GEN AI spam content is generally bad, and I also agree that some of it may lack effort. But honestly, I'm not sure this content is completely meaningless.

Regardless of the packaging, if the content inside is interesting and valuable enough, I think that's what matters. I guess we just see things quite differently.

So what I'm saying is, I don't agree with the idea that he didn't care at all.

Comment by anthonyeden 1 day ago

Do you know these feeds actually go to broadcasters? They could be internal feeds for refs, match review, head office monitoring, etc.

The broadcast contribution feeds I’ve seen in the past are MPEG-TS, not via RTMP.

Still a great find.

Comment by srfwx 15 hours ago

you're right, it's not the international signals, but internal distribution only

Comment by thrdbndndn 1 day ago

This happens more often than you would think.

During COVID, lots of live shows (concerts, etc.) in Japan moved to streaming (and most of them stuck, so thanks to that, lots of large concerts today have real-time streaming, which is great for foreign fans).

Out of 10+ platforms, more than half have vulnerabilities that allow you to access the content freely (sometimes including the rehearsals, because they are also streamed internally), and on a handful, you can access the admin panel and, as the author said, stream whatever you want.

Most of them have been patched over the years (some are just the byproduct of them changing the backend/SaaS provider, though), but there remain some major providers where you can get content for free.

Comment by mjfisher 1 day ago

How could that possibly, ever have made it through. Every single API for every single service didn't check the JWT?

Comment by maciekkmrk 1 day ago

It started as internal service where you need to be connected with a VPN so why bother with security.

Comment by Ekaros 1 day ago

Vibe coding? Just have LLM make it and then press merge?

Comment by himata4113 1 day ago

Eh, ironically this is an easy mistake to make for a human especially around how middleware is handled in express or other nodejs libraries, it's the reason why so so many of the vulnerabilities come from node based apps. Python has similar footguns as well with undefined objects failing open. Typescript has somewhat mitigated these for node, but there is no real fix for python other than skipping libraries that allow failing open.

Comment by BobDaHacker 1 day ago

Yeah I see this type of crap often honestly, especially at big companies.

Comment by patates 1 day ago

You hit the jackpot on security research, but you cannot take like an hour or two to at least get rid of the AI smell? Please do use AI, nothing against that, all I'm saying is please, please don't deliver this weirdness:

> I did not touch any of these controls. But they were there. Functional.

I really needed to push myself to read because it was very interesting and thank you, for doing the work and sharing.

Comment by rectang 1 day ago

> Client says "access denied"

> Server says "here's everything"

hahahaha

> Hire me (just kidding... unless?)

FIFA is a legendarily awful organization. In my weaker moments reading your piece I thought to myself how nice it would have been if someone more ruthless than you had been made an example of them.

Comment by divan 1 day ago

To be fair FIFA is one of the best international federations in terms of good governance. Dutch sport think-tank Play The Game has an assestment methodology and the project called "Sports Governance Observer" and did asses FIFA in 2018 [1]

FIFA gets disproportionate amount of attention and, ofc, high-level corruption scandals, but I would say it's more like a by-product of the sheer scale of the football, and not a problem with FIFA itself. I believe most sports federations in the world are very far from FIFA in terms of governance, but also from facing problems that FIFA has.

[1] https://www.playthegame.org/publications/sports-governance-o...

Comment by 1 day ago

Comment by alper 23 hours ago

> They understood the issue immediately.

I'm guessing this is not the first time this happened to them.

Comment by patate007 1 day ago

Great article! You must be pretty confident to click the "stop streaming" button without knowing whether a confirmation modal will pop up or not

Comment by BobDaHacker 1 day ago

I blocked my network traffic before clicking it cuz I've seen a lot of things without confirmation pop-ups. At least there was a confirmation pop-up.

Comment by dddddaviddddd 1 day ago

I thought this too, but inspecting the HTML source could have shown that a nodal would be shown next.

Comment by Jabrov 1 day ago

Holy crap. Had to pick my jaw up off the floor. I hope you get some kind of acknowledgement or bounty for this. Kudos for having the willpower to resist sending a message to millions of people and sparking a global phenomenon!

Comment by 1 day ago

Comment by dzonga 1 day ago

JWTs strike again.

encrypted cookies still work & they're stateless. & yeah you can pass cookies between servers & also server - S.P.A.

to BoBDaHacker - great research but slow down on the a.i writing.

Comment by aembleton 1 day ago

If the backend doesn't check the credentials then it doesn't matter if its JWT or encrypted cookies or anything else.

Comment by sairam_h 1 day ago

That was really cool! It was one of the impressive exploit i have ever read about. I really hope they give you something in return for your service, at the very least a thank you.

Comment by josefritzishere 21 hours ago

If you can Rickroll, you should.

Comment by c0d3r__ 21 hours ago

"If you can go to jail, you should."

Comment by 1 day ago

Comment by jansan 1 day ago

> Replace that, and every TV network receiving the FIFA feed shows whatever you pushed.

Holy shit, Rickrolling is among the more harmless things you could have done with that.

Comment by Cider9986 1 day ago

What's the most harmful thing you could do?

Comment by Hugsbox 22 hours ago

Use your imagination, brother. What's the worst thing you can think of them showing to the entire world?

Comment by jansan 1 day ago

Are you trying to trick me into writing something here that I would later regret?

Comment by curiousgal 1 day ago

This is honestly one of the only instances where I am like "you're an idiot for reporting this". The amount of reach, provided the feeds can indeed be overriden, is absolutely insane. Paired with how shitty of an org FIFA is, I personally would have just leaked this.

Comment by BobDaHacker 1 day ago

As much as I like being butt fucked, I dont wanna go to prison :3

Comment by BobDaHacker 1 day ago

Also, I am not much of a football gal myself, so I didn't know they were a shitty org.

Comment by rvz 1 day ago

> FIFA never responded. Not to acknowledge the report. Not to say thank you. Not to discuss compensation. Nothing.

If this is true, why help them if they do not take their own security seriously, especially if they have vibe-coded their auth backend server?

Comment by BobDaHacker 1 day ago

Registered on FIFA's public Agent Platform with my ID, got added to their Microsoft Entra tenant, and found the Angular app only checked roles client-side. The backend APIs served everything: RTMP ingest URLs and stream keys for every live World Cup 2026 camera feed across all five angles. Confirmed live in VLC. An attacker could have pushed arbitrary video to the ingest endpoints and replaced broadcast feeds on TV worldwide. Write access to match stats, commentator notes, and the live score system was also exposed.

Comment by pjmlp 1 day ago

As someone that also wears security hat from time to time, regarding devs best practices, that is a very common failure in SPAs, client side only validation.

There is always some fun showing teams how easy it is to bypass with a plain browser and developer tools window open.

Comment by swader999 1 day ago

Could have made a killing off of poly market and rick rolled ftw.

Comment by hackerdood 1 day ago

Given that they had to hand over their identity to get access, seems like a 1-way ticket to prison (assuming FIFA logs events like that, which honestly I’m not so sure about anymore).

Comment by antonvs 1 day ago

> Hire me (just kidding... unless?)

Would you really want to work for one of the world’s most notoriously corrupt organizations?

Comment by BobDaHacker 1 day ago

I am not much of a football gal myself, so I didn't know they were a shitty org.

Comment by antonvs 13 hours ago

I don't follow football in the slightest, but these have been major media stories. See: https://en.wikipedia.org/wiki/2015_FIFA_corruption_case

Not saying "you should have heard of it", just giving info.

The US DOJ investigation found over $150 million in bribes and kickbacks over two decades. This led to dozens of criminal indictments, and ongoing legal battles over the recovery of stolen funds.

But maybe they've resolved that now and are a changed organization? Oh wait, this is the organization that made up a "peace prize" to give to a certain Donald Trump, to make up for the Nobel committee's completely inexplicable refusal to award their Peace Prize to the guy who started a pointless war with Iran that plunged the world into economic chaos. It'd be hilarious, if it weren't so sleazy, sad, and depressing.

Long story short, if FIFA offered you a cybersecurity job tomorrow, you should do a lot of due diligence before accepting.

Comment by rohitsriram 1 day ago

[flagged]

Comment by jadecarter68 1 day ago

[dead]

Comment by assixx 1 day ago

[dead]