(in)sicurezza digitale

2026-06-17 18:49:58

Come un semplice account FIFA avrebbe potuto compromettere i Mondiali 2026

Quando si parla di grandi eventi sportivi globali, l’immaginario collettivo corre subito agli stadi, alle telecamere, alle regie televisive e alle centinaia di milioni di spettatori collegati da ogni parte del mondo. Molto meno visibile è invece l’enorme infrastruttura digitale che permette a tutto questo di funzionare.

Eppure, secondo quanto raccontato dalla ricercatrice nota come BobDaHacker, sarebbe bastata una semplice registrazione come agente FIFA per ottenere accesso a sistemi interni capaci di influenzare direttamente la distribuzione delle immagini dei Mondiali di calcio 2026.

La storia inizia in modo apparentemente banale. La ricercatrice decide di iscriversi alla piattaforma pubblica utilizzata dalla FIFA per la registrazione degli agenti calcistici. Dopo aver completato il processo di verifica dell’identità, il suo account viene automaticamente inserito nel tenant Microsoft Entra utilizzato dall’organizzazione. Nulla di strano, almeno in apparenza.

Il problema emerge quando, esplorando altri portali appartenenti all’ecosistema FIFA, la ricercatrice scopre che l’autenticazione funziona correttamente ma l’autorizzazione no.

Si tratta di una delle vulnerabilità più comuni e allo stesso tempo più pericolose nel mondo delle applicazioni enterprise: il sistema verifica chi sei, ma non controlla adeguatamente cosa sei autorizzato a fare.

Nel caso specifico, alcune verifiche di autorizzazione sembravano essere implementate principalmente lato client. Una volta aggirati questi controlli, l’account appena creato riusciva ad accedere a piattaforme che avrebbero dovuto essere riservate esclusivamente al personale autorizzato.

La scoperta più preoccupante riguarda il pannello di gestione dello streaming dei Mondiali.

Secondo la documentazione pubblicata dalla ricercatrice, il sistema mostrava l’elenco completo delle partite del torneo, gli stream video associati, i relativi endpoint RTMP e diversi controlli operativi utilizzati per la gestione delle trasmissioni. Ancora più grave, sarebbero stati presenti comandi per l’avvio, l’arresto e la pianificazione dei flussi video.

BobDaHacker afferma di non aver mai eseguito operazioni distruttive e di essersi limitata a verificare l’accessibilità delle risorse. Tuttavia il semplice fatto che tali funzioni fossero raggiungibili da un account privo di privilegi rappresenta un classico scenario di “Broken Access Control”, categoria che da anni occupa le prime posizioni della classifica OWASP Top 10.

L’aspetto più interessante, dal punto di vista di chi si occupa di sicurezza applicativa, è che non siamo davanti a un sofisticato attacco zero-day, né a tecniche avanzate di exploitation.

Non ci sono buffer overflow, catene di exploit o vulnerabilità particolarmente esotiche.

L’intera vicenda sembra essere riconducibile a un errore architetturale estremamente semplice: un account legittimo appartenente al tenant aziendale veniva considerato implicitamente attendibile da sistemi che avrebbero invece dovuto effettuare controlli granulari sui ruoli e sulle autorizzazioni.

È un problema che molte organizzazioni incontrano quando adottano ecosistemi cloud complessi basati su Single Sign-On. L’autenticazione centralizzata riduce la complessità operativa, ma può trasformarsi in un rischio significativo quando le applicazioni downstream assumono che chiunque possieda un’identità valida debba poter accedere alle funzionalità disponibili. In altre parole, l’esistenza di un account non dovrebbe mai equivalere automaticamente all’esistenza di privilegi.

Secondo la ricostruzione pubblicata, la FIFA avrebbe corretto rapidamente il problema dopo la segnalazione, anche se senza instaurare un dialogo diretto con la ricercatrice.

Al di là dell’aneddoto del possibile “Rickroll” trasmesso durante una partita dei Mondiali, questa storia rappresenta un promemoria importante per tutte le organizzazioni che gestiscono infrastrutture critiche, piattaforme cloud e sistemi federati di identità.

Molto spesso la sicurezza non viene compromessa da vulnerabilità particolarmente sofisticate. Basta una singola autorizzazione mancante, un controllo implementato nel posto sbagliato o una fiducia eccessiva nell’identità dell’utente.

E quando il sistema in questione controlla la distribuzione televisiva dell’evento sportivo più seguito del pianeta, anche il più banale errore di autorizzazione può trasformarsi in un incidente di portata globale.

I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

How I found that anyone could register on FIFA's public Agent Platform, gain access to the Football Data Platform's Streaming Management panel, and get RTMP ingest URLs and stream keys for every live FIFA World Cup 2026 camera feed.

^{bobdahacker.com}

Kevin Beaumont

2026-06-16 12:50:03

The US government has intervened in a lawsuit on the side of X, saying Grok is "critical for national security" wired.com/story/doj-lawyers-ar…

DOJ Lawyers Argue xAI Is ‘Vital’ for National Security in NAACP Lawsuit

In a bid to dismiss a lawsuit over xAI's polluting gas turbines, the Justice Department claimed the company is integral to military operations—including the Iran War.

^{Molly Taft (WIRED)}

Catalin Cimpanu

2026-06-15 23:33:41

SBOM getting no love from companies

Adoption still very low

enisa.europa.eu/publications/s…

SBOM Adoption State of Play - 2026 | ENISA

ENISA is the EU agency dedicated to enhancing cybersecurity in Europe. They offer guidance, tools, and resources to safeguard citizens and businesses from cyber threats.

^{www.enisa.europa.eu}

Elena Rossini

2026-06-17 05:34:00

W Social, Public Institutions and the Theater of European Digital Sovereignty

In the past few months I have unwittingly become an expert on all things W Social: the microblogging platform that is a fork of Bluesky and bills itself as Europe’s alternative to X, with identity verification “to fight bots and misinformation” and data hosted in Europe “to promote European digital sovereignty”. Why am I fascinated by this topic? I find the discrepancies between their public image and the reality behind the scenes truly striking.

Over the course of the past few days I have received sensational information that no media organization has so far reported. So here we go, with another article about W Social on their big week, as they are set to open their public beta to their waiting list later today.

But first: if you missed my previous articles on the topic, you can find them here:

W Social - Elena Rossini
A series of articles about the controversial social network W Social, a for profit company set up by Swedish entrepreneurs, who openly admitted they want to help train European AI models with their users’ data (amongst other things).
Elena RossiniElena Rossini

⚠️
Disclaimer:

This article represents my personal opinions, commentary, and conclusions formed through independent research using publicly available sources. Any characterizations, interpretations, or inferences are presented as opinion, not as statements of objective fact. Readers are encouraged to review the referenced materials and draw their own conclusions.

Prominent Institutions and Government Officials Move their Accounts to W Social

On Friday June 12th I received a tip: that the ATproto accounts of the European Commission, its president Ursula von der Leyen, the European Central Bank and its president Christine Lagarde had been migrated from Bluesky PBC to W Social’s servers.

I immediately double-checked the information on the website clearsky.app (which indexes information about ATproto) and saw this for myself:

screenshots from the website clearsky.app which show how the Bluesky accounts of the European Commission, Ursula von der Leyen and Christine Lagarde were very recently moved to W Social's servers

I was incredibly surprised by this move: W Social is a private, for-profit enterprise controlled by Swedish entrepreneurs which had a really spotty launch and isn’t forthcoming with communications about their tech stack.

Europe already has an ATproto social network - Eurosky - run by a non-profit foundation - Modal - that is building everything in the open, with full transparency, sharing all the steps in their development roadmap:

Development Roadmap - Eurosky
Eurosky is a European initiative to build and operate sovereign social web infrastructure
Eurosky

Last week Eurosky shared news about their strides in attaining greater independence from Bluesky PBC’s infrastructure: they are now mirroring the did:plc directory and set up their own firehose running on European infrastructure; they even launched a new platform/webapp - mu.social - that is a full replacement of the Bluesky app.

If these concepts sound foreign to you, let me attempt to explain things in plain terms. Social networks powered by ATproto are built on composable, modular services that can be independently hosted. To be fully sovereign you need:

• your own Personal Data Server (PDS), which stores user accounts, posts, likes, follows, profile data and also handles identity and signing keys;
• a relay, which aggregates messages from PDS instances and makes them available to AppViews as a data stream;
• an AppView, which indexes data from relays and provides a search engine;
• a moderation service, which manages labels, blocks and mutes;
• a PLC (Public Key Infrastructure), which maps usernames to public identities.

While self-hosting an ATproto Personal Data Server is now relatively easy and affordable, running the other components requires great resources and technical expertise.

W Social has made promises of hosting their users’ data in Europe but they haven’t been forthcoming about their roadmap and whether or not they are relying on Bluesky PBC’s infrastructure for the other services.

Thus my surprise when I heard about the migration of such prominent institutional accounts. Had they done due diligence, I wondered?

Exclusive: W Social may have quietly become closed-source

Then on Saturday I received another tip. Someone wrote to me:

W Social have taken down the public repo of their app: github.com/w-social-eu. You can still look at the last state from early March in the archive, but right now it's no longer public. That means that the European Commission has factually migrated their data from an open source platform (Bluesky) into a closed source platform (W Social).

I immediately checked GitHub as well as Codeberg and other Git platforms and could not find any traces of W Social (even after trying alternate spellings).

a screenshot showing the missing W Social repo from GitHub (left) and how it used to look when it was online (right) last captured on March 9th

This was another surprising piece of news in the context of the recent unveiling of the Tech Sovereignty Package by the European Commission.

In their announcement on June 3 (only a week before the account move to W Social), the European Commission had expressed the desire to “[strengthen] Europe’s tech sovereignty” via a European technological sovereignty package that focused on four core areas. The third area is:

Strengthening digital autonomy through open source – the open source strategy will scale up open source alternatives in priority areas, invest in skills, start-ups and digital infrastructure, and support greater use of open source in public administrations.

Strengthening Europe’s tech sovereignty
Learn about Commission’s plans to make Europe an AI leader and more digitally self-reliant, by strengthening its capacity for semiconductors, AI, cloud and open source
Directorate-General for CommunicationDirectorate-General for Communication

I wonder if the person in charge of the European Commission’s ATproto account migrations knew that W Social has quietly gone closed-source?

European Big Tech?

I contacted Aral Balkan, the co-founder of the Small Technology Foundation, asking him to help me unpack this news.

According to Balkan, the move by the W Social developers - deleting their code from GitHub - is highly unusual:

The standard practice is to deprecate the old repo and put up a message telling people where the new one is. Not delete it.

Balkan continued:

It’s very concerning if the removal of their public repository signals that W Social is taking their implementation closed source. Furthermore, I couldn’t find the source of their web client and mobile apps on their GitHub either. There have been so many red flags with W Social since its hastily cobbled-together announcement at Davos that they might as well make a red flag their logo.

For context, the repositories of Bluesky and its forks Eurosky and Blacksky are all publicly available on GitHub... and W Social's repository was as well, until some time in March.

GitHub - w-social-eu/w-social-atproto: Social networking technology created by Bluesky
Social networking technology created by Bluesky. Contribute to w-social-eu/w-social-atproto development by creating an account on GitHub.
GitHubw-social-eu

It was simply removed without any notice.

Balkan then addressed the issue of identity verification - which is required by W Social:

It’s very concerning – but again, not surprising – to see folks from the European Commission jumping on this particular bandwagon. Especially given the commission’s push for identity verification (under the guise of age verification – as lobbied for by Meta) and W Social’s plans to make identity verification a core part of their system. My fear is that W Social is just another for-profit Big Tech startup that happens to be based in the EU. We don’t need that. We don’t need more European surveillance capitalists and people farmers. We need ethical alternatives working for the common good.

Indeed, there is plenty of evidence showing how leaders from the world of Big Tech are connected to W Social.

In my previous article about the company I had only mentioned one person who is on their Board of Advisors: Yariv Adan, a former AI lead at Alphabet (Google). But the full picture of their advisory board is very telling, as it comprises prominent people from the world of European politics as well as Big Tech executives.
a screenshot of a conference slide showing W Social's advisory board
Marc Placzek in particular is an interesting choice: he was a Chief Privacy Officer at Paypal (a company co-founded by tech oligarch Peter Thiel), and he currently serves this role at Tools for Humanity (a company co-founded by another tech oligarch: OpenAI CEO Sam Altman). What is Tools for Humanity's mission? To “create a global ID, a global currency, and an app enabling payment with World's own digital token” with irises scanned to verify one’s identity.

Tools for Humanity
Tools for Humanity is a technology company building for humans in the age of AI.
Tools for HumanityTools for Humanity

For more information on Tools for Humanity and World(coin):
youtube.com/embed/9vcpuBoiyAQ?…

Questions for European public institutions on W Social

I have so many questions that I wish I could address to people working at European public institutions who now have ATproto accounts on W Social.

Here are my top 3:

1. Are you aware that the W Social network may have become closed-source?
2. Do you know if all the components in W Social’s ATproto stack are self-hosted in Europe (not just their PDS, but also their relay, AppView and moderation)?
3. Why didn’t you move to Eurosky instead?

I am curious to see how the beta launch of W Social will go today. And which other prominent accounts will join them.

Elena

---

💓 Did you enjoy this post? Share it with a friend!
👫 Follow me on Mastodon. All my other links are available here: elena.social
💌 If you'd like to say hi, my contact information is here
✏️ If this post resonated with you, leave a comment!

Elena Rossini | Contact Form

Contact Elena Rossini: use the contact form on this page to get in touch with Elena – interview requests, speaking gigs, freelance assignments...

^{Elena Rossini}