A security researcher stumbled into the digital control room of the FIFA World Cup, revealing just how vulnerable the systems of the world’s biggest football event are.
The world has entered the second week of FIFA’s World Cup tournament. While security experts had warned long before the tournament started that it could attract cyberattacks, one researcher just revealed that the infrastructure itself is vulnerable, allowing anyone to interfere with the matches' streaming.
According to a detailed disclosure published by the researcher going under the name Bobdahacker, FIFA's platform allegedly allowed newly registered users to authenticate to internal systems without assigned permissions.
The researcher says they discovered the issue once they tried to sign up through FIFA's Agent Platform, a public portal used by football agents seeking FIFA accreditation.
During registration, users are added to FIFA's Microsoft Entra identity tenant, which is also used across a range of FIFA's internal platforms.
“When you register on agents.fifa.org, FIFA adds your account to their Microsoft Entra tenant. That's the same tenant that powers all of FIFA's internal platforms. And I mean all of them,” the researcher wrote.
The researcher accessed FIFA’s Streaming Management Panel
After creating an account, the researcher proceeded to FIFA's Football Data Platform (FDP) to check if it was accessible.
At first, the web application displayed an "access denied" message. However, the researcher found out that the restriction existed only in the front-end interface.
“Looks like it works, right? Access denied. Go away. Nothing to see here. Except this was all client-side. The Angular app checked the JWT for a NO_ROLES marker and rendered the access-denied page. The backend APIs? They didn't check anything. They just served whatever you asked for,” the researcher explained.
According to the report, bypassing the client-side restriction exposed a live streaming management panel used for FIFA World Cup 2026 broadcasts.
Surprisingly, the platform contained streaming configurations for every World Cup match. The configurations include multiple camera angles, streaming manifests, RTMP ingest endpoints, and associated stream keys.
If the information is accurate, access to such information could have posed a significant operational risk. RTMP ingest endpoints receive live video feeds from stadium cameras before the footage is distributed to broadcasters and streaming partners.
The researcher alleges the panel also exposed controls that could start, stop, or schedule streams.
"I did not touch any of these controls," the researcher stated.
"But they were there. Functional. Waiting for anyone with a NO_ROLES account to press them."
The intruder could have modified live statistics
Beyond broadcasting systems, the report claims access extended across multiple FIFA platforms, including competition management tools, live match dashboards, analytics systems, commentator support applications, and administrative interfaces.
Among the most concerning allegations are claims that write permissions were available through certain match management functions.
The researcher says a user without assigned roles could allegedly modify live statistics, update commentary information, alter tactical lineups, adjust match event data, and publish information consumed by FIFA's commentator systems.
FIFA Commentator Information System (CIS), a platform used by broadcasters to obtain live match statistics, editorial notes, tactical data, player information, and prepared talking points, was also accessible.
The researcher also identified what appeared to be an exposed development environment hosted on Microsoft Azure. According to the disclosure, the service returned metadata and download links for internal FIFA documents, including reports related to revenue, transfers, referees, and coaching statistics.
The vulnerability was reportedly disclosed through multiple channels. The researcher claims they attempted to contact FIFA, but received no response.
According to the disclosure, the issue was resolved shortly after the reports were submitted. At the time of writing, FIFA has not publicly commented on the claims.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked