国际足联安全漏洞:注册经纪人即可进入2026世界杯转播系统
英文摘要
A regular user registered as a football agent on FIFA's official website and was automatically added to the FIFA Unified Identity System. This granted unauthorized access to internal platforms, including the 2026 World Cup broadcast management system. The user could view live streams, streaming URLs, and push keys, and had controls over live video, scores, lineups, kick-off time, match statistics, and the commentator system. The vulnerability could allow an attacker to hijack the entire World Cup broadcast.
中文摘要
一名普通用户在国际足联官网注册成为足球经纪人后,被自动加入FIFA统一身份系统,从而获得未授权访问,包括2026世界杯转播管理系统。用户可以看到直播流、推流地址和密钥,并能控制直播画面、比分、阵容、开球时间、比赛统计和评论员系统。该漏洞可能导致整个世界杯直播被劫持。
关键要点
A user registering as a football agent on FIFA’s site was automatically enrolled in the FIFA Unified Identity System, granting excessive access.
用户在国际足联网站注册足球经纪人后,被自动纳入统一身份系统,获得过度权限。
Access extended to the 2026 World Cup broadcast management system, exposing live streams, streaming keys, and control interfaces.
该权限可访问2026世界杯转播管理系统,暴露直播流、推流密钥及控制界面。
The attacker could manipulate live broadcast content, scores, lineups, and other match-day operations, potentially hijacking the entire feed.
攻击者可操控直播画面、比分、阵容等比赛日操作,甚至完全劫持世界杯直播。