TL;DR
A security researcher gained unauthorized access to FIFA’s live streaming management panel for the 2026 World Cup after registering as an agent. The breach exposed live camera feeds and control functions, posing a risk to broadcast integrity.
A security researcher uncovered a significant security flaw in FIFA’s digital infrastructure that allowed access to the live streaming management panel for the 2026 World Cup, including live camera feeds and control functions, through a registration process that bypassed internal access controls.
The researcher registered on FIFA’s public agent platform, which required submitting an ID and verifying email, and was subsequently added to FIFA’s internal Microsoft Entra tenant, granting access to multiple FIFA internal systems.
Despite initial failures due to ID photo quality, the researcher successfully registered and received a confirmation email. Using this account, they accessed FIFA’s Football Data Platform (FDP) and discovered they could view and control live match streams, including multiple camera angles, RTMP ingest URLs, and broadcast controls, with no role-based restrictions.
Crucially, the researcher found that the backend APIs did not enforce role checks, allowing full control over live feeds—potentially enabling malicious actors to hijack or disrupt broadcasts during live matches. The platform also provided access to extensive match data, analytics, and administrative functions, all accessible with the same account.
Potential Broadcast Disruption Risks During World Cup
This vulnerability poses a serious threat to the integrity of live FIFA broadcasts. An attacker with access could hijack camera feeds, inject malicious streams, or cause widespread disruption during the tournament, which is watched globally by millions.
While the researcher did not perform any malicious actions, the existence of such broad access highlights critical security flaws in FIFA’s infrastructure that could be exploited in real-world scenarios, including broadcast sabotage or misinformation during high-profile matches.
Volam 4G LTE Cellular Dash Cam with Live Streaming & GPS Tracking – Dual Car Security Camera with Remote Live View,Cloud Storage,AI Motion Detection,Sentry Mode, Anti-Theft Protection for Vandalism
[4G LTE CELLULAR CONNECTIVITY & LIVE STREAMING FROM ANYWHERE] Stay connected to your vehicle 24/7 with our advanced…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
FIFA’s Digital Infrastructure and Prior Security Challenges
FIFA’s digital platforms, including the Agent Platform and Football Data Platform, are integrated with Microsoft Entra (formerly Azure AD) for authentication. The FIFA Agent Platform is a public portal for registering as a licensed football agent, but this process also grants internal system access due to how accounts are managed within FIFA’s tenant.
Previous reports have highlighted various security concerns within FIFA’s digital systems, but this incident reveals an especially critical oversight: the backend APIs did not verify user roles, allowing full control over live broadcast streams with minimal authentication.
“The infrastructure was wide open, and I could have hijacked every camera feed during the World Cup.”
— Researcher
Sports Video: Analytics, Recording & Live Streaming: Your Guide to Sports Video Production
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Extent of FIFA’s Response and Ongoing Security Measures
FIFA has not publicly acknowledged or responded to the security breach. It remains unclear whether the flaw has been fully remediated or if any malicious actors exploited it before discovery.
Details about the number of affected accounts or whether any live streams were compromised are also not yet available.
4K HDMI Video Encoder/Decoder, ZowieBox, Native NDI HX3 (Certified) Converter/Player, UVC to HDMI, Pass-Through Video Capture, SRT/RTMP(S)/RTSP, Live Streaming to YouTube
Compact but Powerful: ZowieBox, smaller than phones, with a tally light and LCD screen showing streaming status, can…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
FIFA’s Security Review and Preventative Measures
FIFA is expected to conduct a comprehensive security review of its platforms and implement stricter role verification processes. The organization may also update its authentication protocols and restrict access controls to prevent similar vulnerabilities in future tournaments.
Further disclosures about the incident, including any corrective actions taken, are anticipated in the coming weeks.
Blackmagic Design ATEM Micro Live Stream Switcher Panel with Intuitive Layout, Efficient Control, 50 Tri-Color LED Backlit Buttons and Transition Slider
Intuitive Layout: The Blackmagic Design ATEM Micro Live Stream Switcher Panel features two rows of ten input buttons…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Could this vulnerability have been exploited during the World Cup?
It is not yet confirmed whether malicious actors exploited the vulnerability during the event. The researcher’s findings indicate the potential risk was present, but no evidence of abuse has been publicly reported.
What specific controls could an attacker have accessed or manipulated?
An attacker could have accessed live camera feeds, injected malicious streams, or disrupted broadcasts by controlling RTMP ingest URLs and camera angles, potentially causing widespread broadcast interference.
Has FIFA responded or taken steps to fix the issue?
FIFA has not publicly commented on the incident. It is unclear if immediate remediations or security patches have been implemented following the discovery.
Does this vulnerability affect all FIFA digital platforms?
The researcher’s findings specifically relate to the FIFA Football Data Platform and streaming management system accessed via the FIFA Agent Platform registration. The scope of the vulnerability across all FIFA systems remains uncertain.
What should FIFA do to prevent future security breaches?
Implementing role-based access controls, verifying user permissions on the backend, and conducting regular security audits are essential steps to prevent similar vulnerabilities in the future.
Source: Hacker News
