Researcher found a way to hijack FIFA World Cup streams but didn't touch it
A security researcher stumbled into the digital control room of the FIFA World Cup, revealing just how vulnerable the systems of the world’s biggest football event are.

Image by Cybernews.
A security researcher stumbled into the digital control room of the FIFA World Cup, revealing just how vulnerable the systems of the world’s biggest football event are.
- A security researcher discovered that by creating a legitimate account on FIFA's public agent-registration platform, they could access multiple internal FIFA systems because the backend API failed to properly verify user permissions.
- The exposed systems reportedly included tools used by broadcasters to control on-screen graphics, commentator displays, and live TV feeds.
- According to the researcher, a malicious actor could potentially have altered content seen by millions of viewers.
- The researcher reported the vulnerability, and FIFA reportedly patched it within hour.
The world has entered the second week of FIFA’s World Cup tournament. While security experts had warned long before the tournament started that it could attract cyberattacks, one researcher just revealed that the infrastructure itself is vulnerable, allowing anyone to interfere with the matches' streaming.
According to a detailed disclosure published by the researcher going under the name Bobdahacker, FIFA's platform allegedly allowed newly registered users to authenticate to internal systems without assigned permissions.
The researcher says they discovered the issue once they tried to sign up through FIFA's Agent Platform, a public portal used by football agents seeking FIFA accreditation.
During registration, users are added to FIFA's Microsoft Entra identity tenant, which is also used across a range of FIFA's internal platforms.
“When you register on agents.fifa.org, FIFA adds your account to their Microsoft Entra tenant. That's the same tenant that powers all of FIFA's internal platforms. And I mean all of them,” the researcher wrote.
The researcher accessed FIFA’s Streaming Management Panel
After creating an account, the researcher proceeded to FIFA's Football Data Platform (FDP) to check if it was accessible.
At first, the web application displayed an "access denied" message. However, the researcher found out that the restriction existed only in the front-end interface.
“Looks like it works, right? Access denied. Go away. Nothing to see here. Except this was all client-side. The Angular app checked the JWT for a NO_ROLES marker and rendered the access-denied page. The backend APIs? They didn't check anything. They just served whatever you asked for,” the researcher explained.
According to the report, bypassing the client-side restriction exposed a live streaming management panel used for FIFA World Cup 2026 broadcasts.
Surprisingly, the platform contained streaming configurations for every World Cup match. The configurations include multiple camera angles, streaming manifests, RTMP ingest endpoints, and associated stream keys.
If the information is accurate, access to such information could have posed a significant operational risk. RTMP ingest endpoints receive live video feeds from stadium cameras before the footage is distributed to broadcasters and streaming partners.
The researcher alleges the panel also exposed controls that could start, stop, or schedule streams.
"I did not touch any of these controls," the researcher stated.
"But they were there. Functional. Waiting for anyone with a NO_ROLES account to press them."
The intruder could have modified live statistics
Beyond broadcasting systems, the report claims access extended across multiple FIFA platforms, including competition management tools, live match dashboards, analytics systems, commentator support applications, and administrative interfaces.
Among the most concerning allegations are claims that write permissions were available through certain match management functions.
The researcher says a user without assigned roles could allegedly modify live statistics, update commentary information, alter tactical lineups, adjust match event data, and publish information consumed by FIFA's commentator systems.
FIFA Commentator Information System (CIS), a platform used by broadcasters to obtain live match statistics, editorial notes, tactical data, player information, and prepared talking points, was also accessible.
The researcher also identified what appeared to be an exposed development environment hosted on Microsoft Azure. According to the disclosure, the service returned metadata and download links for internal FIFA documents, including reports related to revenue, transfers, referees, and coaching statistics.
The vulnerability was reportedly disclosed through multiple channels. The researcher claims they attempted to contact FIFA, but received no response.
According to the disclosure, the issue was resolved shortly after the reports were submitted. At the time of writing, FIFA has not publicly commented on the claims.
Unlock more exclusive Cybernews content on YouTube.