Hacker Could Have Hijacked FIFA World Cup 2026 Live Broadcasts via Authorization Bypass
A white-hat hacker discovered an authorization flaw in a FIFA World Cup 2026 platform that could have allowed an attacker to hijack live match broadcasts and replace video feeds with arbitrary content.
A white-hat hacker known as "Bobdahacker" discovered a critical authorization bypass in a FIFA World Cup 2026 platform that could have allowed an attacker to hijack live match broadcasts and replace video feeds with arbitrary content. The vulnerability, which has since been patched after the researcher reported it to FIFA's streaming technology partner MediaKind, as well as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, exposed camera feeds, stream keys, and full control over live broadcast scheduling.
The flaw resided on fdp.fifa.org, FIFA's data platform. The system correctly rejected Bobdahacker's Entra ID as lacking authorization when accessing the site, but the access control was implemented entirely client-side. This meant the backend APIs simply served any requested resource without server-side validation. Bobdahacker demonstrated the vulnerability after registering as a licensed FIFA agent, which added her to the organization's Microsoft Entra instance, then used a tool like Burp Suite to bypass the client-side restrictions.
From there, she gained access to a production streaming management panel that controlled stadium video cameras during live matches. The panel offered full read and write capabilities. "It wasn't just read access. The Streaming Management panel had full controls. Start, stop, schedule. For every match. Every camera angle," Bobdahacker wrote in a detailed account.
Crucially, she also extracted the RTMP (Real-Time Messaging Protocol) ingest URLs and stream keys for each camera. Each of the five video feeds for a match used the same stream key. This meant an attacker could push any video content—such as a Rickroll or unrelated gameplay—to the stream key, overriding the live match broadcast. "Those RTMP ingest URLs are the literal pipe from the stadium cameras to FIFA's broadcast distribution chain. Camera -> RTMP ingest -> MediaKind -> broadcast partners -> your TV," Bobdahacker noted, highlighting the direct path from the stadium to viewers worldwide.
Beyond the broadcast hijacking risk, the researcher also accessed other internal FIFA websites. These included a tracker capturing player performance metrics like ball recovery timing and distance covered, a live scores dashboard, and a match management site where an attacker could have altered match times or scores.
Bobdahacker reported the vulnerability to FIFA but received no response. She then reached out to MediaKind, CISA, and the FBI. The vulnerability was patched overnight between her reports and the next morning, but the lack of a .well-known/security.txt file on FIFA's domain frustrated the researcher. "Get a security.txt file. Seriously. It's 2026," she wrote, referencing the standardized file that gives researchers directions for reporting security problems without resorting to third-party contacts.
The incident underscores the dangers of relying on client-side authorization for sensitive systems. "Client-side authorization is not authorization. Every intern learns this," Bobdahacker concluded. While no CVE was assigned to this specific flaw, the attack vector—an authorization bypass in a high-profile organization's system handling live global events—serves as a stark reminder that robust server-side access controls are non-negotiable, particularly for systems with the potential to disrupt live broadcasts watched by billions.
This case also highlights the critical role of responsible disclosure processes. FIFA's lack of a security.txt file nearly prevented the report from reaching the right team, echoing similar issues seen in other organizations. The prompt fix by MediaKind and the US authorities' involvement show the importance of having clear reporting channels for security researchers.