RSS

I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID

BobDaHacker1 pts0 comments

I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID. | bobdahacker

🎄<br>Currently at 39C3 in Hamburg! Feel free to hit me up on my socials<br>💻

-->

I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

June 16, 2026

BobDaHacker

They fixed it without ever responding to me. I had to call FIFA, MediaKind, HBS, CISA, and the FBI at 3am Tokyo time just to get someone to listen. This is that story.

It Started With a Football Agent Registration

So FIFA has this thing called the FIFA Agent Platform. It's a public portal where you can register to become a licensed football agent. You submit your ID, verify your email, and you're in. Simple enough.

What I didn't expect was what happened next.

When you register on agents.fifa.org, FIFA adds your account to their Microsoft Entra tenant (formerly Azure AD). That's the same tenant that powers all of FIFA's internal platforms. And I mean all of them.

My first two attempts actually failed because the lighting on my ID photos wasn't good enough:

"Registration failed during the last step of checking your identification." - apparently FIFA has higher standards for my selfie than my actual security

But the third attempt went through. And I received this beautiful email:

Subject line: "FIFA - FAP - CONFIRMATION". Yes, FIFA's Agent Platform is officially called FAP. I cannot make this up. FAP CONFIRMATION. Moving on.

The "Access Denied" That Wasn't

After registration, I tried navigating to fdp.fifa.org - FIFA's Football Data Platform. The app authenticated me through the shared Entra tenant, checked my roles, found I had none, and showed me:

"Sorry, you do not have any FIFA Football Data Platform role assigned to your account."

Looks like it works, right? Access denied. Go away. Nothing to see here.

Except this was all client-side . The Angular app checked the JWT for a NO_ROLES marker and rendered the access-denied page. The backend APIs? They didn't check anything. They just served whatever you asked for.

Welcome to the Streaming Management Panel

After bypassing the client-side guards, I landed on the Streaming Management panel. And my jaw hit the floor.

Every single FIFA World Cup 2026 match. With streaming controls.

This wasn't some dev environment. This wasn't test data. This was the live production Streaming Management panel for the FIFA World Cup 2026. Every match. Every camera angle. Every RTMP ingest URL. Every stream key.

Let me expand one of those matches so you can see what I mean:

Five camera angles per match: PGM, Tactical, Camera1, High Behind Left, High Behind Right

Each match had five camera feeds, each with:

An RTMP ingest URL (where the camera sends video TO)

A preview manifest (where you can WATCH the feed)

An output URL (the HLS manifest that goes to broadcast partners)

The RTMP ingest URLs looked like this:

rtmp://in-6c81fc99-513f-4c76-82c2-877e0b93f2ea.westeurope.streaming.mediakind.com:1935/96886a14-9987-420f-814c-2f7cec5408ae

That UUID at the end? 96886a14-9987-420f-814c-2f7cec5408ae. That's the stream key (not a real one). It's shared across all five camera angles for the same match. One key to rule them all.

The streaming infrastructure is hosted on MediaKind, FIFA's streaming technology partner. These are production endpoints. The same ones receiving live camera feeds from stadiums across the US, Mexico, and Canada.

I Opened VLC. It Was Live.

I had to confirm the preview manifests actually worked. So I copied one into VLC.

That's a live tactical camera feed from an active FIFA World Cup 2026 match. Playing in VLC. On my PC. In Tokyo.

I closed it immediately. But the damage was done (to my brain). Those preview URLs serve live video. During active matches. To anyone with the URL.

I Could Have Stopped the Streams

It wasn't just read access. The Streaming Management panel had full controls. Start, stop, schedule. For every match. Every camera angle.

One click. That's all it would take to kill a live World Cup camera feed.

I did not touch any of these controls. But they were there. Functional. Waiting for anyone with a NO_ROLES account to press them.

The Nuclear Option

Let me spell out what this means.

Those RTMP ingest URLs are the literal pipe from the stadium cameras to FIFA's broadcast distribution chain. Camera -> RTMP ingest -> MediaKind -> broadcast partners -> your TV.

If an attacker pushed video to one of those RTMP endpoints with the stream key (which is RIGHT THERE in the URL), they would replace the camera feed . The PGM (Program) feed is the main broadcast output. Replace that, and every TV network receiving the FIFA feed shows whatever you pushed.

The stream key is shared across all five camera angles per match. A single attacker could hijack every camera simultaneously.

An attacker could have rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match.

I did not test this. I did not...

fifa camera match world streaming live

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.