IT-Connect » Tech News » World Cup 2026: FIFA Flaw Could Have Hijacked Global TV Feeds

Hacker-themed computer setup displaying FIFA World Cup 2026 logo with messages like System Breach and Access Granted on the screen.
Tech News

World Cup 2026: FIFA Flaw Could Have Hijacked Global TV Feeds

Florian Burnel 0 Comments

To become a football agent with FIFA, all it takes is an ID document and an email address. The problem is that this simple access opens far more than the agents platform: it grants access to the 2026 World Cup production systems, all the way to the live video feeds broadcast on televisions around the world.

One agent account, and all the doors open!

It all starts on agents.fifa.org, the public portal that lets anyone register as a football agent. You upload your ID, confirm your email address, and the account is created. One first door opens.

But a researcher nicknamed BobDaHacker managed to do far more than he should have been able to with that access. First, it is important to know that this account is added to FIFA's Microsoft Entra tenant. That same tenant is connected to all of FIFA's internal platforms.

As part of his research, he tried accessing other services, including fdp.fifa.org, the Football Data Platform. The service's response: access denied, no role assigned to this account. Fair enough, you might say?

The problem is that this denial only existed on the browser side. The server never actually denied BobDaHacker's request, because it was the Angular application itself that made that decision by reading the JWT token. But the backend APIs did not verify anything and served data to any authenticated user.

This type of flaw is not uncommon, and the technique even has a name: broken access control. It brings to mind other cases, where a simple read-only access can lead to remote code execution, as with this Kubernetes vulnerability.

Stopping a match or changing scores live

These client-side protections were bypassed by the researcher, allowing him to access the Streaming Management panel. Hold on tight, because this is the live production dashboard for the 2026 World Cup. Every match, every camera angle, every feed. According to his report, each match exposed five cameras (PGM, Tactical, Camera1, and two high-angle cameras), each accompanied by:

  • A RTMP ingestion URL, where the camera sends the video,
  • A preview manifest, to watch the live feed,
  • An output URL (HLS) intended for partner broadcasters.

The broadcast infrastructure relies on MediaKind, FIFA's technology partner. And the stream key, identical for the five cameras of a given match, appeared directly in the URL. If a malicious actor had gained the same access as BobDaHacker, they could have replaced the main feed sent to every channel receiving FIFA's signal. Imagine the potential impact: broadcasting propaganda images, or simply causing a blackout, it really could have been the....!

"A hacker could have ‘rickrolled’ the entire FIFA World Cup. Or streamed a game of Subway Surfers. Live. On every TV channel in the world. In the middle of a match.", the researcher quips.

Access to match broadcasting is one thing, but it does not stop there. With that same account, and without any specific privileges in theory, he had write access to match management and the Commentator Information System (cis.fifa.org). Enough to have some serious fun, since it was possible to:

  • Modify scores and statistics in real time,
  • Adjust the kick-off time of a match,
  • Change the notes read by commentators on air.

Despite all these permissions, Italy still would not have qualified for this World Cup (that one was easy).

"What sets FIFA apart is the severity of what was exposed, not the vulnerability itself," the researcher explains. It is the kind of identity-side misconfiguration that affects everyone, as shown by password-spraying attacks against tens of thousands of Entra ID accounts.

Source : BobDaHacker

No way to report the flaw

Let us finish this story by looking at how the security issue was reported to FIFA. It was chaotic.

According to the researcher, FIFA had no vulnerability disclosure policy (VDP) and no bug bounty program. Result: a whole night spent trying to reach someone. Emails left unanswered, calls to Zurich, to MediaKind, to HBS, and finally to the CISA and the FBI.

That is when the researcher discovered that the US CISA agency is in fact the federal cybersecurity lead for the 2026 World Cup. "I had to call CISA and the FBI because FIFA made direct reporting impossible," he explains in his report. And at that point, alarms were ringing: the flaw was fixed the very next day. The account with no role now receives a 403 response on the server side, instead of a simple client-side denial.

The takeaway: if only your frontend checks role assignment, then your application is probably vulnerable.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.
See Full Bio
social network icon social network icon social network icon
Share on X Share on Facebook Share on Linkedin Send by e-mail

You May Also Like

Banner promoting arx.one BACKUP with a laptop mockup and cloud icon, French text reads 'DÉCOUVREZ LES NOUVEAUTÉS' (April 2026).

Arx One Backup Adds OnBox Local Backup and Near CDP

Florian Burnel 0
Hourglass on a desk in front of a monitor displaying VS Code and code, symbolizing a 2-hour delay

VS Code Adds a 2-Hour Delay to Extension Updates to Help Block Attacks

Florian Burnel 0
ProtonMail logo with 'Post-quantum Encryption' on a purple tech background.

Proton Mail Rolls Out Post-Quantum Encryption: How to Enable It

Florian Burnel 0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.