Four stories on the table this week. A researcher walked into FIFA's World Cup backend through a public signup form. A bug in one media library turned out to be sitting inside half the apps on your network. A SaaS vendor got breached and dragged nine of its customers along. And the residential-proxy market kept turning home routers into attack infrastructure. We also sit down with Bishop Fox Security Consultant Marco Sanchez to talk about why hardware hacking keeps pulling people in, how to get started without an expensive lab, and why understanding the physical side of security changes how you look at software. Here's what stood out from the operator chair.
A public signup form shouldn't share an identity tenant with your crown jewels. Researcher BobDaHacker registered through FIFA's public football-agent portal and landed in the same Microsoft Entra tenant as FIFA's internal World Cup systems. The front end showed "access denied," but the back end never re-checked access.—Past the client-side guard, Bobheld RTMP keys and the controls to start and stop broadcasts. For a streaming org, the stream is the crown jewels: grab the key, point VLC at it, re-cast — the piracy playbook. FIFA patched it silently and never replied to the reporter, but the next hacker may not be so generous.
"Not my bug" doesn't unship the RCE in your product. JFrog's "Pixel Smash," a heap-corruption bug in FFmpeg's MagicYUV decoder, was demonstrated as RCE against a Jellyfin server that auto-scans metadata the moment files land. The chain needs conditions, but the story is reach: FFmpeg rides inside Jellyfin, Kodi, OBS, Nextcloud and hundreds more as a transitive dependency nobody consciously chose. RCE is RCE even at one byte per frame, and an unattended server auto-generating thumbnails will sit there and process it. Nextcloud declined to patch because it's "not their bug", but if you monetize open source? You own the duty to fund, review, or firewall it.
Why break into one company when one vendor holds the keys to a hundred? A crew calling itself Icarus breached Klue, a competitive-intelligence platform wired into Salesforce, Gong, and HubSpot, through a legacy credential on an integration prototype nobody decommissioned. They harvested the OAuth tokens Klue used to reach customers, then made ~900 API calls into customer Salesforce instances: valid credential, valid system, business hours, invisible. At least nine orgs got swept up, including HackerOne, Snyk, and Tanium. This is Salesloft and Gainsight again — delegated access is the soft underbelly of the SaaS supply chain, and the answer is behavioral, not another signature.
What makes hardware hacking so addictive? Between the headlines, we sat down with Bishop Fox Security Consultant Marco Sanchez following our Debug to Root workshop. Marco talks about what first drew him into hardware hacking, why it remains one of the best ways to understand how systems really work, and why getting started is easier than most people think. Whether you’ve never opened a device before or you’re looking to branch out from software security, it’s a conversation about curiosity more than soldering irons.
You can't blocklist your way out of traffic that's genuinely residential. The Wall Street Journal reported a surge in residential proxy networks (millions of compromised routers, smart TVs, and IoT relays) with Microsoft tracing Russia's Midnight Blizzard through a Chinese provider, IPIdea. Routing through ordinary home connections collapses what detection is built on: IP reputation, geolocation, "residential ISPs are safe." This is enabled when ISPs ship default-credentialed routers they manage remotely, so attackers manage them the same way. This can then be commoditized into free proxy apps where the user is the product. Stop hunting traffic that looks malicious and start flagging traffic that doesn't tell a complete story.
Subscribe to our PODCAST
Real talk on the threats, trends, and tactics shaping security today
Recommened Resources