A basic security flaw let a security researcher access internal FIFA systems — and the ability to control World Cup TV streams

A basic security flaw let a security researcher access internal FIFA systems — and the ability to control World Cup TV streams "An attacker could have rickrolled the entire FIFA World Cup" - Researcher “BobDaHacker” found FIFA API flaw letting anyone hijack live TV streams and commentator feeds - Bug stemmed from lack of authorization checks; FIFA patched quickly but did not credit the finder - Experts warn it highlights CWE‑602 and the danger of confusing authentication with authorization A bug in an internal FIFA system allowed anyone to modify what gets streamed to TV broadcasters, and what goes to TV commentators narrating the FIFA 2026 World Cup matches. Luckily for everyone, the bug was discovered by a white hat hacker and remedied before any malicious actors could leverage it. Asecurity researcher with the alias BobDaHacker recently reported being able to take full control over the TV stream. They did it by registering as a player agent of FIFA’s official agent registration platform and then abusing a vulnerability in FIFA’s back-end API to access multiple internal platforms. The vulnerability was that the API did not check the accounts for proper authorization - and as a result, they could control what people would see on their TVs during the matches, as well as what the commentators would see on their monitors. Authentication is not authorization “A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup,” BobDaHacker said. We could have witnessed a “Dark Knight Rises” moment, too. For Brett Winterford, Vice President at Okta Threat Intelligence, FIFA dodged a major bullet today: “The average global live audience of a FIFA WorldCup match is 175 million viewers. Imagine a person with the worst motivations discovers a bug that enables them to modify that livestream.” “That bug happened. Thankfully a security researcher found it first.” Not everyone seems to be that thankful, though. According to TechCrunch, FIFA issued a fix mere hours after BobDaHacker reported it, but did not acknowledge them for their work. Winterford believes the bug is yet another example of CWE-602: Client-Side Enforcement of Server-Side Security. Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! “It’s also another good reminder for developers: don’t treat authentication as authorization. Authentication deals with verifying a user is who they say they are, authorization deals with what the user is allowed to access.” ➡️ Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications. You must confirm your public display name before commenting Please logout and then login again, you will then be prompted to enter your display name.