AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

Image
Episode 23  •  Jun 26, 2026  •  51 Min

FIFA Takeover, FFMpeg RCE, Klue Breach, Hardware Hacking

Four stories on the table this week. A researcher walked into FIFA's World Cup backend through a public signup form. A bug in one media library turned out to be sitting inside half the apps on your network. A SaaS vendor got breached and dragged nine of its customers along. And the residential-proxy market kept turning home routers into attack infrastructure. We also sit down with Bishop Fox Security Consultant Marco Sanchez to talk about why hardware hacking keeps pulling people in, how to get started without an expensive lab, and why understanding the physical side of security changes how you look at software. Here's what stood out from the operator chair.

A public signup form shouldn't share an identity tenant with your crown jewels. Researcher BobDaHacker registered through FIFA's public football-agent portal and landed in the same Microsoft Entra tenant as FIFA's internal World Cup systems. The front end showed "access denied," but the back end never re-checked access.—Past the client-side guard, Bobheld RTMP keys and the controls to start and stop broadcasts. For a streaming org, the stream is the crown jewels: grab the key, point VLC at it, re-cast — the piracy playbook. FIFA patched it silently and never replied to the reporter, but the next hacker may not be so generous.

"Not my bug" doesn't unship the RCE in your product. JFrog's "Pixel Smash," a heap-corruption bug in FFmpeg's MagicYUV decoder, was demonstrated as RCE against a Jellyfin server that auto-scans metadata the moment files land. The chain needs conditions, but the story is reach: FFmpeg rides inside Jellyfin, Kodi, OBS, Nextcloud and hundreds more as a transitive dependency nobody consciously chose. RCE is RCE even at one byte per frame, and an unattended server auto-generating thumbnails will sit there and process it. Nextcloud declined to patch because it's "not their bug", but if you monetize open source? You own the duty to fund, review, or firewall it.

Why break into one company when one vendor holds the keys to a hundred? A crew calling itself Icarus breached Klue, a competitive-intelligence platform wired into Salesforce, Gong, and HubSpot, through a legacy credential on an integration prototype nobody decommissioned. They harvested the OAuth tokens Klue used to reach customers, then made ~900 API calls into customer Salesforce instances: valid credential, valid system, business hours, invisible. At least nine orgs got swept up, including HackerOne, Snyk, and Tanium. This is Salesloft and Gainsight again — delegated access is the soft underbelly of the SaaS supply chain, and the answer is behavioral, not another signature.

What makes hardware hacking so addictive? Between the headlines, we sat down with Bishop Fox Security Consultant Marco Sanchez following our Debug to Root workshop. Marco talks about what first drew him into hardware hacking, why it remains one of the best ways to understand how systems really work, and why getting started is easier than most people think. Whether you’ve never opened a device before or you’re looking to branch out from software security, it’s a conversation about curiosity more than soldering irons.

You can't blocklist your way out of traffic that's genuinely residential. The Wall Street Journal reported a surge in residential proxy networks (millions of compromised routers, smart TVs, and IoT relays) with Microsoft tracing Russia's Midnight Blizzard through a Chinese provider, IPIdea. Routing through ordinary home connections collapses what detection is built on: IP reputation, geolocation, "residential ISPs are safe." This is enabled when ISPs ship default-credentialed routers they manage remotely, so attackers manage them the same way. This can then be commoditized into free proxy apps where the user is the product. Stop hunting traffic that looks malicious and start flagging traffic that doesn't tell a complete story.

Security Headlines:


Sean McMillan Headshot

Sean McMillan

Community Manager

Sean McMillan is Community Manager at Bishop Fox, focused on making complex security topics easier to understand and more interesting to follow. He holds a bachelor’s degree in Mass Communication and Media Studies from Arizona State University and brings over a decade of experience in podcasting, live hosting, and audience engagement. As host of Initial Access, he works with practitioners to explore how real-world attacks actually happen.


Sergio Villegas BF Headshot

Sergio Villegas

Sr. Managing Analyst II

Sergio Villegas is a Sr. Managing Analyst II in the Attack Surface Intelligence team at Bishop Fox where he is one of the lead researchers. His main areas of focus are emerging threats, attack surface mapping, and tactical lead generation. Sergio has over 11 years of experience in cybersecurity during which he has worked as a researcher and consultant to help companies improve their procedures, technologies, and techniques around threat intelligence and threat hunting.


Shad Malloy Headshot

Shad Malloy

Sr. Managing Consultant II

Shad Malloy is a Sr. Managing Consultant II at Bishop Fox focused on network penetration testing, vulnerability risk management, and application security. He has advised multiple industries including health care, financial services, energy, and technology. In addition to time working and managing security for education, health care, and national government agencies. Shad holds a Bachelor of Science in Computer Information Systems as well as industry certifications like the CISSP.


Ku image

Kendrick Urbaniak

Senior Operator

Kendrick Urbaniak is a Senior Operator at Bishop Fox, serving on the Threat Research Team with a focus on exploit development, vulnerability research, and offensive security innovation. He leverages extensive experience in exploit engineering, adversary tradecraft, and security research to uncover emerging threats and help organizations better understand and reduce real-world risk across modern software and infrastructure ecosystems.


Bfx25 Marco Sanchez Profile Bio Headshot

Marco Sanchez

Security Consultant II

Marco is a Security Consultant at Bishop Fox. He specializes in applicationand external penetration testing. He has experience in conducting application, mobile, external, and cloud penetration testing for both Mexican and multinational companies and institutions. He has presented at cybersecurity conferences such as Ekoparty, HackGDL, BugCON, Bsides CDMX, and DragonJAR on topics related to RFID, Access Control Systems, Lock Picking, and Active Directory. He has a strong interest in hardware hacking, radio frequencies, and HAM radio.


Subscribe to our PODCAST

Real talk on the threats, trends, and tactics shaping security today

Listen Anywhere