FIFA World Cup API Authorization Bug Let Anyone Hijack the Live TV Stream
Published
Key Takeaways
- Authorization Flaw: A bug in FIFA's back-end API skipped authorization checks, opening access to internal platforms.
- TV Control: One exposed system let users control what appeared on TVs and commentators' screens during matches.
- Fast Fix: FIFA patched the flaw within hours of it being reported on Tuesday night Japan time.
A security researcher who goes by the handle BobDaHacker discovered a simple flaw in FIFA's internal systems during the FIFA World Cup 2026, one that could have handed an attacker control over the TV stream of every match. The issue stemmed from FIFA's backend API, which failed to check whether a user actually had the proper authorization.
How the FIFA Flaw Worked
According to BobDaHacker, the path in was surprisingly easy. They first registered as a player agent on FIFA's official agent registration platform. With that account in hand, they then exploited the authorization flaw in FIFA's back-end API to reach several internal FIFA platforms that should have been off-limits.
The accessible systems included one that allows broadcasters to control what is displayed on people's TVs worldwide, as well as what appears on commentators' screens as they narrate each match.
The attack chain:
- Register on agents.fifa.org (public)
- Get added to FIFA's Entra tenant
- Authenticate against any FIFA internal app
- Client says "access denied"
- Server says "here's everything"
In other words, a single vulnerability exposed the live broadcast experience of the entire tournament. BobDaHacker spelled out the stakes plainly: "A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup."
The researcher also mentioned finding an Azure Function App at xxxxxxxxx-spreadsheets-api.azurewebsites.net that “returned metadata and direct Azure Blob Storage download URLs for 23 internal FIFA files.”
FIFA's Response and Implications
BobDaHacker reported the flaw on Tuesday night Japan time, and FIFA fixed the issue a few hours later. However, the researcher said FIFA never acknowledged their report and did not respond to TechCrunch’s request for comment.
This pattern affected at least:
- fdp.fifa.org (Football Data Platform)
- cis.fifa.org (Commentator Information System)
- xxxxxxxxx-spreadsheets-api.azurewebsites.net (dev environment)
Earlier this month, TechNadu reported that scammers are using AI to target football fans. Also, over 20,000 Instagram accounts were hijacked by exploiting a Meta AI support tool flaw.
Randolph Barr, Chief Information Security Officer at Cequence Security, told TechNadu in a March interview how API attacks exploit authentication, authorization gaps, and trusted application workflows.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular