Rendered at 07:03:56 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
albertgoeswoof 31 minutes ago [-]
Please stop using AI to write for you, it ruins what is otherwise a fascinating story, and on reflection I struggle to trust it.
If you used AI to generate the blog post, did you use AI to generate the screenshots and story?
V__ 2 minutes ago [-]
I am curious, what exactly triggers your AI senses in this post?
sevenzero 28 minutes ago [-]
I remember a frontpage post from like 2 days ago:
"If you want human attention show human effort" or something in that direction. I think this fits here just right.
BobDaHacker 23 minutes ago [-]
Yeah I used Claude as a writing assistant for the initial draft. I'm autistic and long-form writing isn't my strong suit, getting a 4000 word blog post to flow well is genuinely hard for me. But I do edit it pretty heavily after, the voice and the jokes and the structure are mine, the AI just helps me get a baseline down so I'm not staring at a blank page. The research, the screenshots, the disclosure, that's all me. I've been doing this stuff for years.
pqs 26 minutes ago [-]
These comments don't help much. AI is here, not everybody can write well, AI is gonna be used.
llbbdd 24 minutes ago [-]
The problem is that people who are bad writers have trouble understanding that AI writes worse than they do
SXX 21 minutes ago [-]
I'd wish we come to a day where people would just post the prompt. Then I can decide what story to generate from it.
Vinnl 3 minutes ago [-]
I'm still planning to add a "AI-edited version" toggle to my blog. Not that it would do anything, because people wouldn't click it anyway.
patates 15 minutes ago [-]
Look I don't like to see a wall of AI slop as much as the next person (see: https://news.ycombinator.com/item?id=48551462), but "just post the prompt" is also too dismissive. AI had access to information that we don't have and all you see here is probably a compilation of multiple prompts, edits and various sources (like author's notes) for context.
We can adjust our expectations for people to take some time to make the output theirs.
OTOH, and this is me arguing against myself, maybe this is not too different than the million web sites we saw using the unmodified default bootstrap theme.
I guess my opinions as well as the response of the community are still evolving.
TeMPOraL 14 minutes ago [-]
- It's called "writing in bullet points"
- Normies frown upon it
watwut 2 minutes ago [-]
They don't! Before AI, people complain about long emails and what not. The literally preferred to read short ones.
gspr 18 minutes ago [-]
> AI is here, not everybody can write well, AI is gonna be used.
I don't know about you, but I'd love to read a fascinating story written by a relatively poor writer. But if they can't be bothered to write, I assume the story can't be that good.
Oranguru 7 minutes ago [-]
But this isn't a story, literature, or a fancy piece of art; it's merely a technical blog post that discloses a security vulnerability. Here, the writing serves only as a vehicle to convey a message. Once you've received it, its purpose has been fulfilled. I would agree with you if the writing were an important part of the message, but here it is not. Not everybody can write well, and this guy clearly had something to tell, and that is what matters.
holman 1 hours ago [-]
Really amusing to read this one. I did something similar for Qatar 2022 and got access to roster submission (https://zachholman.com/posts/hacking-fifa). To their credit they patched it pretty quickly, but their promised "token of appreciation" never came. (Although on the other hand, they didn't sue me, so I guess that's a win.)
thrdbndndn 7 minutes ago [-]
This happens more often than you would think.
During COVID, lots of live shows (concerts, etc.) in Japan moved to streaming (and most of them stuck, so thanks to that, lots of large concerts today have real-time streaming, which is great for foreign fans).
Out of 10+ platforms, more than half have vulnerabilities that allow you to access the content freely (sometimes including the rehearsals, because they are also streamed internally), and on a handful, you can access the admin panel and, as the author said, stream whatever you want.
Most of them have been patched over the years (some are just the byproduct of them changing the backend/SaaS provider, though), but there remain some major providers where you can get content for free.
srmarm 37 minutes ago [-]
Clearly a big f-up by FIFA on what looks like quite a tidy platform otherwise.
One question though, how do you know your feed would kick off the 'real' feed if you pushed to RTMP, does it just take the most recent connection as live? Does the protocol have a mechanism for dealing with multiple people pushing to the same endpoint? There maybe more checking on that endpoint and if course I'm sure most live broadcasters would have a live director to cut any feeds at their end if a dodgy feed popped up too.
A huge vulnerability nonetheless and a great write up!
BobDaHacker 25 minutes ago [-]
Good question! So RTMP doesn't really have a clean way to handle two publishers on the same stream key. What would actually happen is the two streams fighting for the ingest endpoint, so the output would glitch between the two sources. Like if I pushed Subway Surfers gameplay it'd be flickering between the actual match and Subway Surfers with the audio cutting back and forth. You're right that a live director would catch it pretty fast but even a few seconds of that on air during a World Cup match is not great.
patates 20 minutes ago [-]
You hit the jackpot on security research, but you cannot take like an hour or two to at least get rid of the AI smell? Please do use AI, nothing against that, all I'm saying is please, please don't deliver this weirdness:
> I did not touch any of these controls. But they were there. Functional.
I really needed to push myself to read because it was very interesting and thank you, for doing the work and sharing.
jdw64 24 minutes ago [-]
I don't understand why people obsess over LLM(AI)format. The content is interesting, but they dismiss it just because the format is an issue. All of this content is worth reading and is good. And it's about security.
willdr 22 minutes ago [-]
The content is rendered unreadable by the LLMs sentence construction. Secondly, it's insulting. If you didn't care enough to write it, why should I care enough to read it?
jdw64 10 minutes ago [-]
I saw the this post. Wasn't it a capture of something that actually happened? So it just described a real story. I can doubt the authenticity of all of it whether it's really true or not. but the content itself was interesting enough.
What I don't understand is this: 'Show sincerity'—that is, a human value. If it were AI-generated, stitched-together false content, I'd understand, but I see quite a few interesting points.
Whenever I see things like this, I always think of Sturgeon's law: 90% is bad, and only 10% is interesting. I get that most AI-generated content is AI slop. But even back when only humans could write, there were plenty of clickbait articles.
I agree that GEN AI spam content is generally bad, and I also agree that some of it may lack effort. But honestly, I'm not sure this content is completely meaningless.
Regardless of the packaging, if the content inside is interesting and valuable enough, I think that's what matters. I guess we just see things quite differently.
So what I'm saying is, I don't agree with the idea that he didn't care at all.
dawnerd 8 minutes ago [-]
Or even believe it. Hard to believe a story if it’s right from an llm.
arecsu 59 minutes ago [-]
Awesome read! Congratulations on discovering this and reporting. Hope you get something back from FIFA. This could've lead to some huge disaster if it failed under the wrong hands.
Love your writing skills as well!
> I closed it immediately. But the damage was done (to my brain).
Laughed so hard when I read this one :D
Tepix 49 minutes ago [-]
It was a cool story, no doubt.
> Love your writing skills as well!
I‘d say it was heavily AI assisted
mjfisher 1 hours ago [-]
How could that possibly, ever have made it through. Every single API for every single service didn't check the JWT?
Ekaros 44 minutes ago [-]
Vibe coding? Just have LLM make it and then press merge?
himata4113 36 minutes ago [-]
Eh, ironically this is an easy mistake to make for a human especially around how middleware is handled in express or other nodejs libraries, it's the reason why so so many of the vulnerabilities come from node based apps. Python has similar footguns as well with undefined objects failing open. Typescript has somewhat mitigated these for node, but there is no real fix for python other than skipping libraries that allow failing open.
BobDaHacker 28 minutes ago [-]
Yeah I see this type of crap often honestly, especially at big companies.
sairam_h 14 minutes ago [-]
That was really cool! It was one of the impressive exploit i have ever read about. I really hope they give you something in return for your service, at the very least a thank you.
rectang 23 minutes ago [-]
> Client says "access denied"
> Server says "here's everything"
hahahaha
> Hire me (just kidding... unless?)
FIFA is a legendarily awful organization. In my weaker moments reading your piece I thought to myself how nice it would have been if someone more ruthless than you had been made an example of them.
divan 11 minutes ago [-]
To be fair FIFA is one of the best international federations in terms of good governance. Dutch sport think-tank Play The Game has an assestment methodology and the project called "Sports Governance Observer" and did asses FIFA in 2018 [1]
FIFA gets disproportionate amount of attention and, ofc, high-level corruption scandals, but I would say it's more like a by-product of the sheer scale of the football, and not a problem with FIFA itself. I believe most sports federations in the world are very far from FIFA in terms of governance, but also from facing problems that FIFA has.
> FIFA never responded. Not to acknowledge the report. Not to say thank you. Not to discuss compensation. Nothing.
If this is true, why help them if they do not take their own security seriously, especially if they have vibe-coded their auth backend server?
Jabrov 48 minutes ago [-]
Holy crap. Had to pick my jaw up off the floor. I hope you get some kind of acknowledgement or bounty for this. Kudos for having the willpower to resist sending a message to millions of people and sparking a global phenomenon!
patate007 38 minutes ago [-]
Great article! You must be pretty confident to click the "stop streaming" button without knowing whether a confirmation modal will pop up or not
BobDaHacker 28 minutes ago [-]
I blocked my network traffic before clicking it cuz I've seen a lot of things without confirmation pop-ups. At least there was a confirmation pop-up.
dddddaviddddd 29 minutes ago [-]
I thought this too, but inspecting the HTML source could have shown that a nodal would be shown next.
curiousgal 11 minutes ago [-]
This is honestly one of the only instances where I am like "you're an idiot for reporting this". The amount of reach, provided the feeds can indeed be overriden, is absolutely insane. Paired with how shitty of an org FIFA is, I personally would have just leaked this.
BobDaHacker 3 minutes ago [-]
Also, I am not much of a football gal myself, so I didn't know they were a shitty org.
BobDaHacker 5 minutes ago [-]
As much as I like being butt fucked, I dont wanna go to prison :3
1 hours ago [-]
jansan 41 minutes ago [-]
> Replace that, and every TV network receiving the FIFA feed shows whatever you pushed.
Holy shit, Rickrolling is among the more harmless things you could have done with that.
BobDaHacker 2 hours ago [-]
Registered on FIFA's public Agent Platform with my ID, got added to their Microsoft Entra tenant, and found the Angular app only checked roles client-side. The backend APIs served everything: RTMP ingest URLs and stream keys for every live World Cup 2026 camera feed across all five angles. Confirmed live in VLC. An attacker could have pushed arbitrary video to the ingest endpoints and replaced broadcast feeds on TV worldwide. Write access to match stats, commentator notes, and the live score system was also exposed.
swader999 1 hours ago [-]
Could have made a killing off of poly market and rick rolled ftw.
hackerdood 49 minutes ago [-]
[dead]
antonvs 17 minutes ago [-]
> Hire me (just kidding... unless?)
Would you really want to work for one of the world’s most notoriously corrupt organizations?
BobDaHacker 3 minutes ago [-]
I am not much of a football gal myself, so I didn't know they were a shitty org.
If you used AI to generate the blog post, did you use AI to generate the screenshots and story?
"If you want human attention show human effort" or something in that direction. I think this fits here just right.
We can adjust our expectations for people to take some time to make the output theirs.
OTOH, and this is me arguing against myself, maybe this is not too different than the million web sites we saw using the unmodified default bootstrap theme.
I guess my opinions as well as the response of the community are still evolving.
- Normies frown upon it
I don't know about you, but I'd love to read a fascinating story written by a relatively poor writer. But if they can't be bothered to write, I assume the story can't be that good.
During COVID, lots of live shows (concerts, etc.) in Japan moved to streaming (and most of them stuck, so thanks to that, lots of large concerts today have real-time streaming, which is great for foreign fans).
Out of 10+ platforms, more than half have vulnerabilities that allow you to access the content freely (sometimes including the rehearsals, because they are also streamed internally), and on a handful, you can access the admin panel and, as the author said, stream whatever you want.
Most of them have been patched over the years (some are just the byproduct of them changing the backend/SaaS provider, though), but there remain some major providers where you can get content for free.
One question though, how do you know your feed would kick off the 'real' feed if you pushed to RTMP, does it just take the most recent connection as live? Does the protocol have a mechanism for dealing with multiple people pushing to the same endpoint? There maybe more checking on that endpoint and if course I'm sure most live broadcasters would have a live director to cut any feeds at their end if a dodgy feed popped up too.
A huge vulnerability nonetheless and a great write up!
> I did not touch any of these controls. But they were there. Functional.
I really needed to push myself to read because it was very interesting and thank you, for doing the work and sharing.
What I don't understand is this: 'Show sincerity'—that is, a human value. If it were AI-generated, stitched-together false content, I'd understand, but I see quite a few interesting points.
Whenever I see things like this, I always think of Sturgeon's law: 90% is bad, and only 10% is interesting. I get that most AI-generated content is AI slop. But even back when only humans could write, there were plenty of clickbait articles.
I agree that GEN AI spam content is generally bad, and I also agree that some of it may lack effort. But honestly, I'm not sure this content is completely meaningless.
Regardless of the packaging, if the content inside is interesting and valuable enough, I think that's what matters. I guess we just see things quite differently.
So what I'm saying is, I don't agree with the idea that he didn't care at all.
Love your writing skills as well!
> I closed it immediately. But the damage was done (to my brain).
Laughed so hard when I read this one :D
> Love your writing skills as well!
I‘d say it was heavily AI assisted
> Server says "here's everything"
hahahaha
> Hire me (just kidding... unless?)
FIFA is a legendarily awful organization. In my weaker moments reading your piece I thought to myself how nice it would have been if someone more ruthless than you had been made an example of them.
FIFA gets disproportionate amount of attention and, ofc, high-level corruption scandals, but I would say it's more like a by-product of the sheer scale of the football, and not a problem with FIFA itself. I believe most sports federations in the world are very far from FIFA in terms of governance, but also from facing problems that FIFA has.
[1] https://www.playthegame.org/publications/sports-governance-o...
If this is true, why help them if they do not take their own security seriously, especially if they have vibe-coded their auth backend server?
Holy shit, Rickrolling is among the more harmless things you could have done with that.
Would you really want to work for one of the world’s most notoriously corrupt organizations?