HackerTrans
TopNewTrendsCommentsPastAskShowJobs

BobDaHacker

no profile record

Submissions

[untitled]

1 points·by BobDaHacker·hace 25 días·0 comments

I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID

bobdahacker.com
315 points·by BobDaHacker·hace 25 días·99 comments

We hacked Burger King: How auth bypass led to drive-thru audio surveillance

bobdahacker.com
427 points·by BobDaHacker·hace 10 meses·218 comments

comments

BobDaHacker
·hace 25 días·discuss
[dead]
BobDaHacker
·hace 25 días·discuss
That's a different thing. RTMP ingest endpoints aren't behind the same API layer, they're just open media endpoints that accept a connection if you have the stream key. The stream key was right there in the URL. There's no JWT involved in pushing video to an RTMP ingest, it's just connect and publish.
BobDaHacker
·hace 25 días·discuss
I am not much of a football gal myself, so I didn't know they were a shitty org.
BobDaHacker
·hace 25 días·discuss
Also, I am not much of a football gal myself, so I didn't know they were a shitty org.
BobDaHacker
·hace 25 días·discuss
As much as I like being butt fucked, I dont wanna go to prison :3
BobDaHacker
·hace 25 días·discuss
Yeah I used Claude as a writing assistant for the initial draft. I'm autistic and long-form writing isn't my strong suit, getting a 4000 word blog post to flow well is genuinely hard for me. But I do edit it pretty heavily after, the voice and the jokes and the structure are mine, the AI just helps me get a baseline down so I'm not staring at a blank page. The research, the screenshots, the disclosure, that's all me. I've been doing this stuff for years.
BobDaHacker
·hace 25 días·discuss
Good question! So RTMP doesn't really have a clean way to handle two publishers on the same stream key. What would actually happen is the two streams fighting for the ingest endpoint, so the output would glitch between the two sources. Like if I pushed Subway Surfers gameplay it'd be flickering between the actual match and Subway Surfers with the audio cutting back and forth. You're right that a live director would catch it pretty fast but even a few seconds of that on air during a World Cup match is not great.
BobDaHacker
·hace 25 días·discuss
Yeah I see this type of crap often honestly, especially at big companies.
BobDaHacker
·hace 25 días·discuss
I blocked my network traffic before clicking it cuz I've seen a lot of things without confirmation pop-ups. At least there was a confirmation pop-up.
BobDaHacker
·hace 25 días·discuss
Registered on FIFA's public Agent Platform with my ID, got added to their Microsoft Entra tenant, and found the Angular app only checked roles client-side. The backend APIs served everything: RTMP ingest URLs and stream keys for every live World Cup 2026 camera feed across all five angles. Confirmed live in VLC. An attacker could have pushed arbitrary video to the ingest endpoints and replaced broadcast feeds on TV worldwide. Write access to match stats, commentator notes, and the live score system was also exposed.
BobDaHacker
·hace 10 meses·discuss
Burger King