- Researcher “BobDaHacker” found FIFA API flaw letting anyone hijack live TV streams and commentator feeds
- Bug stemmed from lack of authorization checks; FIFA patched quickly but did not credit the finder
- Experts warn it highlights CWE‑602 and the danger of confusing authentication with authorization
A bug in an internal FIFA system allowed anyone to modify what gets streamed to TV broadcasters, and what goes to TV commentators narrating the FIFA 2026 World Cup matches. Luckily for everyone, the bug was discovered by a white hat hacker and remedied before any malicious actors could leverage it.
Asecurity researcher with the alias BobDaHacker recently reported being able to take full control over the TV stream. They did it by registering as a player agent of FIFA’s official agent registration platform and then abusing a vulnerability in FIFA’s back-end API to access multiple internal platforms.
The vulnerability was that the API did not check the accounts for proper authorization – and as a result, they could control what people would see on their TVs during the matches, as well as what the commentators would see on their monitors.
Authentication is not authorization
“A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup,” BobDaHacker said. We could have witnessed a “Dark Knight Rises” moment, too.
For Brett Winterford, Vice President at Okta Threat Intelligence, FIFA dodged a major bullet today: “The average global live audience of a FIFA WorldCup match is 175 million viewers. Imagine a person with the worst motivations discovers a bug that enables them to modify that livestream.”
“That bug happened. Thankfully a security researcher found it first.” Not everyone seems to be that thankful, though. According to TechCrunch, FIFA issued a fix mere hours after BobDaHacker reported it, but did not acknowledge them for their work.
Winterford believes the bug is yet…
