Security Flaw Allowed Full Control of FIFA World Cup TV Streams

A security flaw in FIFA’s internal infrastructure permitted an individual to gain complete control over the live television streams of every World Cup game.

The individual, known as BobDaHacker, explained that by registering as a player agent on FIFA’s official agent registration platform, she exploited a backend API vulnerability. This flaw failed to verify whether users had the necessary authorization, granting her access to multiple internal FIFA systems.

Among the systems accessed was the one used by broadcasters to manage the content shown on viewers’ televisions worldwide, as well as the displays used by commentators during matches, according to BobDaHacker.

In a blog post released on Tuesday, BobDaHacker stated, “A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup.”

The researcher disclosed the vulnerability on Tuesday night, Japan time. FIFA addressed and resolved the issue within hours but did not publicly acknowledge the report.

Requests for comment from FIFA were not immediately answered.