A security researcher discovered a flaw in FIFA systems that reportedly provided access to internal platforms used to manage live World Cup broadcasts. The vulnerability could have allowed an unauthorized user to view camera feeds, interrupt streams, or replace footage sent to broadcasters.
The researcher, known as BobDaHacker, gained access after registering through FIFA’s public platform for football agents. That registration added her account to the Microsoft Entra environment shared by several internal FIFA applications.
Backend Failed to Verify User Permissions
FIFA’s Football Data Platform initially displayed an access-denied page because the account had no assigned internal role. However, the platform’s backend APIs did not perform the same authorization check and returned data to any authenticated account.
The researcher said this provided access to a streaming management panel containing every 2026 World Cup match. It displayed five camera feeds for each game, including the main program feed, tactical view, two elevated views, and an additional camera angle.
Each feed included an ingest address, preview link, output address, and stream key. In her technical disclosure, BobDaHacker said she opened one preview link and confirmed that it showed a live tactical camera feed from an active match.
The panel also included controls for starting, stopping, and scheduling individual streams. The researcher did not activate those controls, but said the available permissions could have allowed an attacker to interrupt multiple broadcasts or send different footage through the exposed ingest points.
“A single attacker could hijack every camera simultaneously,” she wrote. “An attacker could have rickrolled the entire FIFA World Cup.”
Other Internal FIFA Platforms Were Exposed
The access was not limited to broadcast management. The researcher reported reaching FIFA systems covering competitions, matches, teams, match officials, analysis tools, administrative functions, and the Commentator Information System.
The commentator platform provides information displayed to broadcasters while they narrate matches. Access to both systems meant an attacker could potentially interfere with footage sent to viewers and information shown to commentary teams.
BobDaHacker identified the cause as client-side authorization without matching server-side controls. FIFA’s website checked account roles before displaying pages, but its APIs reportedly treated any authenticated member of the shared system as authorized.
FIFA Patched the Flaw Within Hours
The researcher reported the vulnerability on Tuesday night in Japan. FIFA fixed the issue several hours later, although BobDaHacker said the organization did not acknowledge her report or contact her about the disclosure.
There is no indication that the exposed controls were misused before the fix. FIFA had not published a public statement about the vulnerability at the time of the researcher’s disclosure.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.