A cybersecurity researcher has discovered a critical vulnerability in FIFA’s internal IT system that gave outsiders the ability to completely control the telecasts of the 2026 FIFA World Cup matches. A simple error in security settings allowed them to intercept camera signals, view closed streams, and even stop the broadcast of games on global TV channels.
A cybersecurity researcher has discovered a critical vulnerability in FIFA’s internal IT system that gave outsiders the ability to completely control the telecasts of the 2026 FIFA World Cup matches. A simple error in security settings allowed them to intercept camera signals, view closed streams, and even stop the broadcast of games on global TV channels.
This was reported by the specialized publication TechCrunch, citing a detailed technical report by a researcher under the nickname BobDaHacker, which she published on her blog.
To gain access, the researcher only needed to register an account as a football agent on the official FIFA Agent Platform. When trying to switch to the closed football data platform fdp.fifa.org, the client part of the site, built on Angular, detected a lack of rights and displayed a standard access denial message. However, as it turned out, the server part of the platform (API) did not check the user’s credentials at all and automatically provided all the requested data.
This error gave the researcher access to the 2026 World Cup broadcast control panel. She had access to live broadcast links from all match tactical cameras, authorization keys, and RTMP addresses used to transmit the signal to FIFA partners. BobDaHacker successfully tested the system by running one of the streams in a regular VLC player on her computer in Tokyo.
In addition to viewing, the interface provided full access to broadcast control. Any authorized user without rights could stop the broadcast of the match, change the schedule, or replace the video stream with a single click.
According to the researcher, attackers could easily use the found broadcast keys to replace the picture on the main television output signal (PGM). She noted that if desired, one could organize a «rickroll» (an Internet raffle with a sudden playback of Rick Astley’s music video Never Gonna Give You Up) for the entire World Cup or launch gameplay of the popular game Subway Surfers live on all TV channels around the world during the game.
In addition, an account without any roles gained access to internal analytics systems, referee data, commentator information system, admin panel, and FIFA AI Pro service.
BobDaHacker reported the issue to FIFA, and within hours the vulnerability was closed, with the server now correctly returning a 403 error. Despite the quick fix, the sports organization has not officially responded to the researcher, expressed gratitude, or paid the reward. Moreover, the developers forgot to remove her address from the data platform’s mailing list, so the researcher is still receiving official tactical schemes, reports, and starting lineups for the 2026 World Cup in four languages.
