A researcher discovered a critical vulnerability in FIFA's World Cup 2026 systems that could have allowed him to hijack live broadcast feeds worldwide. The issue stemmed from a classic security failure: client-side authorization with no server-side enforcement. By registering as a football agent on FIFA's public portal, the researcher gained access to the organization's Microsoft Entra tenant, which granted him access to internal platforms. While the Angular frontend showed 'access denied,' the backend APIs served all data without checking roles—including live streaming controls, RTMP stream keys for all World Cup cameras, and match management tools. The researcher confirmed the vulnerability by opening a live tactical camera feed in VLC, then spent the night attempting to contact FIFA, eventually reaching MediaKind (FIFA's streaming partner) and CISA. The vulnerability was patched within hours, but FIFA never acknowledged the report. According to the researcher's account, posted on Hacker News.

Listen to this story

Hear this and more stories in a personalized audio briefing.

Open The Chonkerton