A fundamental security flaw lets a security researcher access internal FIFA systems – and the ability to control World Cup TV streams

Researcher “BobDaHacker” Found FIFA API Flaw That Lets Anyone Hijack Live TV Streams and Commentator Feeds
Bug stemmed from missing authentication checks; FIFA quickly patched but did not credit the finder
Experts warn it highlights CWE-602 and the danger of confusing approval with authorization

A flaw in an internal FIFA system allowed anyone to change what is streamed to broadcasters and what goes to TV commentators covering FIFA 2026 World Cup matches. Fortunately for everyone, the flaw was discovered by a white hat hacker and fixed before any malicious actors could exploit it.

Security researcher with the alias BobDaHacker recently reported being able to take full control of the TV stream. They did so by registering as a player agent for FIFA’s official agent registration platform and then exploiting a vulnerability in FIFA’s back-end API to gain access to multiple internal platforms.

The vulnerability was that the API didn’t check accounts for proper authorization – and as a result, they could control what people would see on their TVs during matches, as well as what the commentators would see on their screens.

Approval is not authorization

“A single attacker could hijack every camera simultaneously. An attacker could have played the entire FIFA World Cup,” said BobDaHacker. We could also have witnessed a “Dark Knight Rises” moment.

For Brett Winterford, vice president at Okta Threat Intelligence, FIFA dodged a big bullet today: “The average global live audience of a FIFA WorldCup match is 175 million viewers. Imagine someone with the worst motivations discovering a bug that enables them to alter this live stream.”

“That bug happened. Fortunately, a security researcher found it first.” However, not everyone seems to be so grateful. According to TechCrunchFIFA issued a fix hours after BobDaHacker reported it, but did not credit them for their work.

Winterford believes the bug is another example of CWE-602: Client-Side Enforcement of Server-Side Security.

“It’s also another good reminder for developers: don’t treat authentication as authorization. Authentication is about verifying that a user is who they say they are, authorization is about what the user is allowed to access.”