I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID
91 points by fs111
91 points by fs111
I wonder if they got access to the FIFA Bribe Management controls too?
could've
it's a shame she didn't!
would probably have landed them in huge trouble though. So huge that it clearly doesn't justify the laughs.
Yeah if anyone messed with the feed of the finale for example I wouldn't be surprised if an angry mob descended on the perpetrator.
Given their lack of basic security it'd be impossible for FIFA to figure out who could've hijacked a stream. Rickrolling the final would have made it even more memorable than the last.
Her pronouns are she/her btw
oops, I didn't check and messed up looking just at "Bob"
I'm sorry if the author is reading this
I don't understand the tone.
This is pure fun. Imagine the internet without these breaches? It would be so boring. The author should be grateful.
Also no one asked him to report anything, so why is he complaining it was hard to report? Either do it because you want or don't do it. Exploit it if you're do angry about it, but don't complain about them not having an email for security vulnerabilities.
It's so odd that the author doesn't even blame them for having such a stupid vulnerability, only for making it hard to report.
I don't understand the tone.
The article is most likely LLM-generated. Exhibits: the title case capitalization; the short sentences with lots of periods; the short rhetorical questions (“That UUID at the end? [. . .] That's the stream key”; the word “breakthrough” in non-technical prose.
If you take a look at the author’s [long] posts on social media, she doesn’t write like that.
The prose also seems very LLM-y to me, although I keep getting "100% human-written" when I check passages on Pangram. E.g.: https://www.pangram.com/history/80affa08-c429-4359-a22a-fe3d1e78f5da?ucc=7ahTNBfg1so
Yea given FIFAs shameless corruption it's almost weird to go out of your way to report a security breach and expect anything in return.
The author is supposedly the first person to find the vulnerability; she visited every page she could leaving trails here and there, and also validated her identity. Probably that's why she panicked; she say saw something nobody should see. If a hack had happened, she would be the first suspect.
It's amazing how these huge organizations can't get the basics right.
It strikes me as exactly the sort of organization that wouldn't take IT security seriously. I picture a management consisting of businessmen with a Derek Zoolander level understanding of computers.
I understand that there will be vulnerabilities, but security researchers having to contact the FBI to report them is a bigger systemic problem.
What makes me think they had copilot slap together the integration between the portal and the streaming panel and called it a day?
Man, I kinda wish the hacker did rick roll the FIFA world cup. It would be about as legendary as hacking the sphere in las vegas.
is the site down for everyone or just me?
Is your DNS server filtering the domain? Mine filtered it, since this domain used to be on a blocklist I use. I tested with a public recursive resolver and the site seems to have no issues.
This domain is in my week-old copy of a dns blocklist in rpz/tif.txt (and presumably the other formats, I'm only looking at the one I use). I've no idea what specific metrics they're using to decide which domains are in that list, but it's no longer present in the latest release.