A curious researcher stumbled upon a major access control misconfiguration at one of FIFA's public websites, which exposed live broadcast stream keys, camera feed controls and match statistics to anyone able to pass an identity check at an agent registration portal.
The researcher, who uses the moniker BobDaHacker, discovered that completing the registration for prospective football agents added her account to FIFA's Microsoft Entra tenant, the identity and access management (IAM) system for all the global football association's internal platforms.
Only a client-side access control mechanism with a JSON Web Token (JWT) was verified, with no equivalent check at the backend, the researcher found.
Instead, the backend infrastructure served up data to any authenticated member of the Entra tenant, regardless of assigned roles.
BobDaHacker bypassed the client-side access control, and reached the streaming management panel that listed every FIFA World Cup 2026 game, alongside Real-Time Messaging Protocol (RTMP) ingest links.
The researcher wrote that she could have stopped the camera feeds using the streaming management panel button.
Each fixture had a single stream key shared across five camera angles, including the PGM or program feed that carries the main broadcast signal to television networks worldwide.
"A single attacker could hijack every camera simultaneously," BobDaHacker wrote.
"An attacker could have rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match," she added.
Beyond the stream keys, the researcher's account had access to FIFA's Commentator Information System (CIS) which provides editorial notes, squad data, player statistics and prepared talking points for use during live match broadcasts.
BobDaHacker noted that write access was also available through the FIFA platform's management functions.
This gave the ability to modify live match statistics, adjust official kick-off times, send tactical line-up data and publish editorial notes to broadcast systems.
iTnews asked BobDaHacker what made her try out the agent registration site, and the researcher said she was looking at FIFA's subdomains.
"Whenever I see a company or something in the wild, I think, 'Let me try to find vulnerabilities'; then I report them if I do [find vulnerabilities]," BobDaHacker said.
The researcher said reporting the vulnerability to FIFA was an "absolute nightmare" as the football organisation has no bug bounty program or security contacts listed.
Attempts at contacting FIFA failed, and the researcher instead alerted the United States Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and video technology company MediaKind in Denver, Colorado and received responses from them.
BobDaHacker told iTnews that although the access issue was fixed quickly, she has not received a response of any kind from FIFA, which is headquartered in Zurich, Switzerland.
She still receives emails with FIFA World Cup 2026 fixture documents such as start lists, tactical lineup, and full time match reports, via a distribution list on the football organisation's data platform.
It's not clear how long the vulnerability existed on the FIFA platform.
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
iTnews State of Security Breakfast
iTnews State of Data & AI Breakfast
Forrester's AI Forum Sydney
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
_(1).jpg&h=140&w=231&c=1&s=0)
