Honestly given how security researchers get attacked for just reporting problems I'm not sure I would have been brave enough to report it without creating an anonymous account first.
Given their lack of basic security it'd be impossible for FIFA to figure out who could've hijacked a stream. Rickrolling the final would have made it even more memorable than the last.
This is pure fun. Imagine the internet without these breaches? It would be so boring. The author should be grateful.
Also no one asked him to report anything, so why is he complaining it was hard to report? Either do it because you want or don't do it. Exploit it if you're do angry about it, but don't complain about them not having an email for security vulnerabilities.
It's so odd that the author doesn't even blame them for having such a stupid vulnerability, only for making it hard to report.
The article is most likely LLM-generated. Exhibits: the title case capitalization; the short sentences with lots of periods; the short rhetorical questions (“That UUID at the end? [. . .] That's the stream key”; the word “breakthrough” in non-technical prose.
If you take a look at the author’s [long] posts on social media, she doesn’t write like that.
Such accusations make me so sad — what used to be a good writing advice now makes people suspicious. This isn't an LLM style, it's a mashup of people's styles.
Writing concisely, clearly, and in an engaging style was indeed good writing advice, but (in the case of personal blogs, rather than corporate communications) individual people still ultimately had to write every sentence themselves, so there was more room for idiosyncrasy, and for the author's voice to come through. LLM-written (or heavily LLM-assisted) writing is frustrating not so much because it mimics that kind of style, but that it's all that style, one post after another, usually without notice.
Clicking on someone's personal blog was always a gamble. But now, the gamble is not whether I'll get a blog post that's hard to follow and difficult to read, or something quite good, or a real gem, it's whether what I'll get is going to be something written by the same salesperson I've already read before, and whose style I didn't like, and would rather avoid, except I can't, because that salesperson keeps showing up under a different alias. And worse, the content is often actually good, but this salesperson's writing style now distracts me from it.
Well-written corporate communications also tend to follow good writing advice (for their target), but when I read them, I at least know what I'm going to get, and typically do so only when I seek them out. I imagine that's what's driving a lot of the negative reactions (it does in me), and the kind of near-allergic suspicion when people see that writing style.
For what it's worth, I also thought this was written (or edited) by an LLM, and found the style distracting.
And worse, the content is often actually good, but this salesperson's writing style now distracts me from it.
Exactly. This article has a good core, a very high profile system with an amateurish security hole. The steps and details of various accessible components are there, in enough detail. "This is really interesting", I say. All the while tallying all the LLM tells, unable to unsee or ignore them. In the end, this article was interesting and I got something out of it when finished, but I didn't enjoy reading it because the distraction of the LLM bits.
I agree in principal, but I would not consider anything in this article "good writing" at all. Even with the subject being extremely interesting, I couldn't finish reading it.
It felt like trope, after trope, "but what happened next", "not this. Not that. But another thing". I can't read this... I'm not sure if I would've been able to before LLMs were a thing too - that's how grating I found it this time around.
I'm usually one to put up with LLM prose for the subject but this article in particular I just couldn't do it for some reason.
Yes. The repeated emphasis on NO_ROLES account. LLM text has some "key point" that gets repeated for "emphasis", but it quickly becomes tiring and unnecessary, and is an LLM tell.
Waiting for anyone with a NO_ROLES account to press them.
My NO_ROLES account had access to the entire platform.
And the backend accepts them from a NO_ROLES account
cis.fifa.org was also accessible with the NO_ROLES account
Also the timeline with only "Night" and "Next day" timestamps. Air of authority without substance, possibly there because timelines are common in security disclosures, but the source material didn't have any definitive dates or times.
The author is supposedly the first person to find the vulnerability; she visited every page she could leaving trails here and there, and also validated her identity. Probably that's why she panicked; she say saw something nobody should see. If a hack had happened, she would be the first suspect.
It strikes me as exactly the sort of organization that wouldn't take IT security seriously. I picture a management consisting of businessmen with a Derek Zoolander level understanding of computers.
I read this part again, but don't understand why OP didn't just stop after they got someone knowledgeable at MediaKind. Or, if they didn't seem competent (IIUC they did?), it would've made sense to stop after sending it to CISA.
I mean, both MediaKind and CISA understood the issue, asked for details on e-mail, and it still was the same night. It would've made sense to give them some time to fix it, right?
Yeah, it seemed like overkill to me, but perhaps the first few disappointing experiences made them want to get ahold of anyone and everyone that cared.
When I was a young dev I found myself in the unique position of being able to put any video stream I wanted onto half of television screens globally through an unintentional backdoor in the system everyone used to route them, preempting any existing feeds. Pure movie-trope supervillain stuff.
Obviously I didn't exploit it but the moment I realized I could felt pretty surreal. It is much, much harder to do such things today.
Maybe it's this contrast: The system this site operates is complex and high stakes, and the fix was turned around in a day, which would suggest competence. Which means for anyone who should be in charge of building this, sending a client sensitive data and trusting it to decide not to display it is just impossibly stupid.
Is your DNS server filtering the domain? Mine filtered it, since this domain used to be on a blocklist I use. I tested with a public recursive resolver and the site seems to have no issues.
This domain is in my week-old copy of a dns blocklist in rpz/tif.txt (and presumably the other formats, I'm only looking at the one I use). I've no idea what specific metrics they're using to decide which domains are in that list, but it's no longer present in the latest release.
xilef | 10 days ago
I wonder if they got access to the FIFA Bribe Management controls too?
alper | 10 days ago
Maybe that's what "Debbie.xlsx" was?
patryk | 10 days ago
it's a shame she didn't!
pilif | 10 days ago
would probably have landed them in huge trouble though. So huge that it clearly doesn't justify the laughs.
technomancy | 10 days ago
Honestly given how security researchers get attacked for just reporting problems I'm not sure I would have been brave enough to report it without creating an anonymous account first.
JulianSildenLanglo | 10 days ago
Yeah if anyone messed with the feed of the finale for example I wouldn't be surprised if an angry mob descended on the perpetrator.
ale | 10 days ago
Given their lack of basic security it'd be impossible for FIFA to figure out who could've hijacked a stream. Rickrolling the final would have made it even more memorable than the last.
skerritt | 10 days ago
Her pronouns are she/her btw
patryk | 10 days ago
oops, I didn't check and messed up looking just at "Bob"
I'm sorry if the author is reading this
sjamaan | 9 days ago
Reminds me of Blackadder :)
ag | 10 days ago
You sure?
patryk | 10 days ago
yeah, that was my mistake
radio | 10 days ago
I don't understand the tone.
This is pure fun. Imagine the internet without these breaches? It would be so boring. The author should be grateful.
Also no one asked him to report anything, so why is he complaining it was hard to report? Either do it because you want or don't do it. Exploit it if you're do angry about it, but don't complain about them not having an email for security vulnerabilities.
It's so odd that the author doesn't even blame them for having such a stupid vulnerability, only for making it hard to report.
sjamaan | 10 days ago
It's probably moral outrage that an organization of such stature has no security team.
Diti | 10 days ago
The article is most likely LLM-generated. Exhibits: the title case capitalization; the short sentences with lots of periods; the short rhetorical questions (“That UUID at the end? [. . .] That's the stream key”; the word “breakthrough” in non-technical prose.
If you take a look at the author’s [long] posts on social media, she doesn’t write like that.
kornel | 10 days ago
Such accusations make me so sad — what used to be a good writing advice now makes people suspicious. This isn't an LLM style, it's a mashup of people's styles.
lake | 10 days ago
Writing concisely, clearly, and in an engaging style was indeed good writing advice, but (in the case of personal blogs, rather than corporate communications) individual people still ultimately had to write every sentence themselves, so there was more room for idiosyncrasy, and for the author's voice to come through. LLM-written (or heavily LLM-assisted) writing is frustrating not so much because it mimics that kind of style, but that it's all that style, one post after another, usually without notice.
Clicking on someone's personal blog was always a gamble. But now, the gamble is not whether I'll get a blog post that's hard to follow and difficult to read, or something quite good, or a real gem, it's whether what I'll get is going to be something written by the same salesperson I've already read before, and whose style I didn't like, and would rather avoid, except I can't, because that salesperson keeps showing up under a different alias. And worse, the content is often actually good, but this salesperson's writing style now distracts me from it.
Well-written corporate communications also tend to follow good writing advice (for their target), but when I read them, I at least know what I'm going to get, and typically do so only when I seek them out. I imagine that's what's driving a lot of the negative reactions (it does in me), and the kind of near-allergic suspicion when people see that writing style.
For what it's worth, I also thought this was written (or edited) by an LLM, and found the style distracting.
hayalci | 9 days ago
Exactly. This article has a good core, a very high profile system with an amateurish security hole. The steps and details of various accessible components are there, in enough detail. "This is really interesting", I say. All the while tallying all the LLM tells, unable to unsee or ignore them. In the end, this article was interesting and I got something out of it when finished, but I didn't enjoy reading it because the distraction of the LLM bits.
zk | 9 days ago
I agree in principal, but I would not consider anything in this article "good writing" at all. Even with the subject being extremely interesting, I couldn't finish reading it. It felt like trope, after trope, "but what happened next", "not this. Not that. But another thing". I can't read this... I'm not sure if I would've been able to before LLMs were a thing too - that's how grating I found it this time around.
I'm usually one to put up with LLM prose for the subject but this article in particular I just couldn't do it for some reason.
connorboyle | 10 days ago
The prose also seems very LLM-y to me, although I keep getting "100% human-written" when I check passages on Pangram. E.g.: https://www.pangram.com/history/80affa08-c429-4359-a22a-fe3d1e78f5da?ucc=7ahTNBfg1so
hayalci | 9 days ago
Yes. The repeated emphasis on NO_ROLES account. LLM text has some "key point" that gets repeated for "emphasis", but it quickly becomes tiring and unnecessary, and is an LLM tell.
Also the timeline with only "Night" and "Next day" timestamps. Air of authority without substance, possibly there because timelines are common in security disclosures, but the source material didn't have any definitive dates or times.
fedemp | 10 days ago
The author is supposedly the first person to find the vulnerability; she visited every page she could leaving trails here and there, and also validated her identity. Probably that's why she panicked; she
saysaw something nobody should see. If a hack had happened, she would be the first suspect.ale | 10 days ago
Yea given FIFAs shameless corruption it's almost weird to go out of your way to report a security breach and expect anything in return.
sjamaan | 10 days ago
It's amazing how these huge organizations can't get the basics right.
marginalia | 10 days ago
It strikes me as exactly the sort of organization that wouldn't take IT security seriously. I picture a management consisting of businessmen with a Derek Zoolander level understanding of computers.
samebchase | 10 days ago
I understand that there will be vulnerabilities, but security researchers having to contact the FBI to report them is a bigger systemic problem.
sjamaan | 9 days ago
I read this part again, but don't understand why OP didn't just stop after they got someone knowledgeable at MediaKind. Or, if they didn't seem competent (IIUC they did?), it would've made sense to stop after sending it to CISA.
I mean, both MediaKind and CISA understood the issue, asked for details on e-mail, and it still was the same night. It would've made sense to give them some time to fix it, right?
samebchase | 9 days ago
Yeah, it seemed like overkill to me, but perhaps the first few disappointing experiences made them want to get ahold of anyone and everyone that cared.
cadey | 10 days ago
Man, I kinda wish the hacker did rick roll the FIFA world cup. It would be about as legendary as hacking the sphere in las vegas.
andrewrogers | 9 days ago
What a great story.
When I was a young dev I found myself in the unique position of being able to put any video stream I wanted onto half of television screens globally through an unintentional backdoor in the system everyone used to route them, preempting any existing feeds. Pure movie-trope supervillain stuff.
Obviously I didn't exploit it but the moment I realized I could felt pretty surreal. It is much, much harder to do such things today.
oceanhaiyang | 10 days ago
That's absolutely hilarious!
alper | 10 days ago
What makes me think they had copilot slap together the integration between the portal and the streaming panel and called it a day?
kevinc | 9 days ago
Maybe it's this contrast: The system this site operates is complex and high stakes, and the fix was turned around in a day, which would suggest competence. Which means for anyone who should be in charge of building this, sending a client sensitive data and trusting it to decide not to display it is just impossibly stupid.
bahlo | 10 days ago
is the site down for everyone or just me?
oceanhaiyang | 10 days ago
Up for me, in Japan.
noon | 10 days ago
down for me, but i used the "caches" link just below the tags, to find a link to archive.org
ambee | 10 days ago
Is your DNS server filtering the domain? Mine filtered it, since this domain used to be on a blocklist I use. I tested with a public recursive resolver and the site seems to have no issues.
This domain is in my week-old copy of a dns blocklist in rpz/tif.txt (and presumably the other formats, I'm only looking at the one I use). I've no idea what specific metrics they're using to decide which domains are in that list, but it's no longer present in the latest release.