A basic security flaw let a security researcher access internal FIFA systems — and the ability to control World Cup TV streams

News
By published

"An attacker could have rickrolled the entire FIFA World Cup"

A man holds the FIFA World Cup in his hands.
(Image credit: Shutterstock)
  • Researcher “BobDaHacker” found FIFA API flaw letting anyone hijack live TV streams and commentator feeds
  • Bug stemmed from lack of authorization checks; FIFA patched quickly but did not credit the finder
  • Experts warn it highlights CWE‑602 and the danger of confusing authentication with authorization

A bug in an internal FIFA system allowed anyone to modify what gets streamed to TV broadcasters, and what goes to TV commentators narrating the FIFA 2026 World Cup matches. Luckily for everyone, the bug was discovered by a white hat hacker and remedied before any malicious actors could leverage it.

Asecurity researcher with the alias BobDaHacker recently reported being able to take full control over the TV stream. They did it by registering as a player agent of FIFA’s official agent registration platform and then abusing a vulnerability in FIFA’s back-end API to access multiple internal platforms.

The vulnerability was that the API did not check the accounts for proper authorization - and as a result, they could control what people would see on their TVs during the matches, as well as what the commentators would see on their monitors.

Latest Videos From

Authentication is not authorization

“A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup,” BobDaHacker said. We could have witnessed a “Dark Knight Rises” moment, too.

For Brett Winterford, Vice President at Okta Threat Intelligence, FIFA dodged a major bullet today: “The average global live audience of a FIFA WorldCup match is 175 million viewers. Imagine a person with the worst motivations discovers a bug that enables them to modify that livestream.”

“That bug happened. Thankfully a security researcher found it first.” Not everyone seems to be that thankful, though. According to TechCrunch, FIFA issued a fix mere hours after BobDaHacker reported it, but did not acknowledge them for their work.

Winterford believes the bug is yet another example of CWE-602: Client-Side Enforcement of Server-Side Security.

“It’s also another good reminder for developers: don’t treat authentication as authorization. Authentication deals with verifying a user is who they say they are, authorization deals with what the user is allowed to access.”

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.