Skip to main content
TechnologyJun 17, 2026· 3 min read

FIFA Bug in the 2026 World Cup: Anyone Could Have Replaced the TV Signal of Any Match

Registering as a football agent on agents.fifa.org was all it took to gain full access to FIFA's internal systems during the 2026 World Cup, including real-time controls for every match and every camera angle. The vulnerability was discovered by security researcher BobDaHacker and detailed on her blog; the FIFA patched the flaw just hours after it was reported, without ever responding.

⚽ I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

Registered on FIFA's public Agent Platform, accessed RTMP stream keys for every live World Cup 2026 camera feed. An attacker could've replaced live TV worldwide.

#InfoSec #FIFA #WorldCup

— BobDaHacker 🏳️‍⚧️ (she/her) (@bobdahacker.com)
June 16, 2026, 01:25

An Entra Tenant, No Server-side Checks

Registration on agents.fifa.org automatically added the account to FIFA's Microsoft Entra tenant, the same one on which all internal platforms of the organization rely. The flaw was found in the backend API: the Angular, React, or Vue frontends checked JWT tokens for user roles and displayed access denied pages to unauthorized users, but the backend served data to anyone authenticated in the tenant, regardless of actual permissions. Authorization remained entirely delegated to the client, with no server-side verification.

With a role-less account, BobDaHacker accessed the streaming management panel of fdp.fifa.org, which listed all matches scheduled for that day of the 2026 World Cup along with the relevant controls. Each match exposed five camera angles (PGM, Tactical, Camera1, High Behind Left, High Behind Right), each with unique RTMP ingest URL, HLS preview manifest, and output URLs to broadcasting partners. The streaming key was unique for each match and shared among all five angles.

To verify that the streams actually worked, the researcher opened a manifest in VLC while a match was ongoing: the tactical camera feed loaded in real-time on her PC in Tokyo.

From Replacing the Signal to Altering Scores

The panel included complete controls for starting, stopping, and scheduling every match and every angle. Sending video to one of the RTMP endpoints with the corresponding key would replace the feed from that camera. The PGM feed is the main broadcast signal: interfering with it would send whatever content the attacker chose to broadcast to every TV network receiving the FIFA signal. With the key shared among all angles of the same match, a single attacker could have simultaneously hijacked all cameras.

Access was not limited to streaming. The same account accessed the entire internal platform: Competitions, Matches, Teams, Tools, Exchange Platform, Analysis Dashboard, the Commentator Information System with live data, tactical lineups, and real-time statistics, FIFA AI Pro, and the Admin section. From the editorial panel, it was possible to edit commentary notes and publish them to broadcasting systems, adjust the official kickoff time, send tactical lineup data, and alter scores and match statistics. The researcher also found an Azure Function exposed that returned direct access URLs to Azure Blob Storage for 23 internal files.

FIFA does not have a bug bounty program, has no security.txt, and does not publish security contacts. BobDaHacker reported the vulnerability Tuesday evening Tokyo time to MediaKind, to CISA, and to her FBI contacts. The issue was fixed within hours, and as of now, FIFA has not responded.

Early Prime Day: All Vacuum Robots on Sale – Here’s How to ChooseGaming and Office Chairs on Sale: Starting from €81 Focused on Comfort, Breathable Mesh, and Lumbar Support