Back to Blog
Application Security

FIFA's Broken Access Control Bug Left World Cup Streams Open to Hijack

A researcher who signed up as a football agent found himself inside FIFA's internal platforms — because the authorization checks only ran in the browser.

PyramidLedger Research4 min read
Share

Key Takeaways

  • Registering for a public FIFA agent license silently added a researcher to the same Microsoft Entra tenant behind FIFA's internal Football Data Platform and Commentator Information System.
  • The apps checked authorization only in the Angular frontend; backend APIs served any authenticated tenant member regardless of role, exposing live World Cup streaming controls, RTMP ingest URLs and stream keys, and 23 internal spreadsheets.
  • FIFA had no security.txt, disclosure policy, or bug bounty program, forcing the researcher to route the report through CISA and the FBI before a fix shipped roughly a day later.
  • Client-side role checks are a UX convenience, not a security boundary — every privileged API must independently verify the caller's authorization server-side.

A researcher known as BobDaHacker registered for a football-agent license on FIFA's public agents.fifa.org portal, uploading a government ID as part of the process. That registration silently added the account to the Microsoft Entra tenant shared across FIFA's internal platforms — including fdp.fifa.org (the Football Data Platform) and cis.fifa.org (the Commentator Information System), according to the researcher's writeup.

A UI access-denied page is not a security control

The core flaw was architectural: authorization was enforced client-side only. The Angular frontend inspected the JWT for a role claim and rendered an access-denied screen if it was missing — but the backend APIs behind that UI accepted requests from any authenticated member of the tenant, with no server-side role check at all. Anyone who could obtain a valid token, regardless of intended permissions, could call the same endpoints the UI was designed to hide.

What was reachable

The exposure reportedly extended well beyond dashboard data. The researcher found a live production streaming-management panel covering World Cup match production: RTMP ingest URLs and stream keys, with a single key shared across all five camera angles per fixture, including the program (PGM) feed that carries the main broadcast signal to television networks. With that access, an attacker could in principle have replaced live broadcast feeds outright. The same access reportedly allowed write access to live match data — scores, lineups, kick-off times, and commentary notes — plus exposure of 23 internal FIFA spreadsheets covering transfer reports, revenue figures, and personnel information, via a separate Azure Function App.

Reporting the bug was harder than finding it

FIFA had no security.txt, no published vulnerability disclosure policy, and no bug bounty program. Several disclosure emails reportedly bounced or went unanswered. The researcher ultimately reached FIFA's streaming partner, MediaKind, by phone, and separately escalated through CISA's operations center and an existing FBI contact. The vulnerability was fixed within roughly a day of escalation — the backend began returning a proper 403 rather than relying on the frontend to hide the option. FIFA reportedly gave no formal acknowledgment or compensation.

The lesson for anyone building tenant-shared platforms

This is a textbook broken-access-control finding — OWASP's perennial top risk — made worse by two compounding decisions: provisioning a public self-service portal into the same identity tenant as sensitive internal systems, and treating a frontend role check as if it were an authorization boundary. Every privileged endpoint needs to independently verify the caller's role and scope on the server; a UI that hides a button is a convenience for legitimate users, not a control against anyone who skips the UI and calls the API directly. It's also a reminder that a missing disclosure channel doesn't stop researchers from finding bugs — it just makes reporting them slower and more painful for everyone involved.

Sources

Details in this piece are drawn from the researcher's own account and corroborating security-press coverage listed below.

Frequently Asked Questions

What type of vulnerability was this?

Broken access control caused by client-side-only authorization: the Angular frontend checked JWT role claims and hid the UI accordingly, but the backend APIs performed no equivalent server-side check, so any authenticated tenant member could call privileged endpoints directly.

Could this have actually disrupted World Cup broadcasts?

According to the researcher's writeup, exposed RTMP ingest URLs and shared stream keys for each match's camera feeds, including the main program feed, would have allowed an attacker to overwrite the live broadcast signal sent to television networks.

Was the flaw exploited, and was it fixed?

There is no public indication it was exploited maliciously; it was reported by a researcher and, per the writeup, fixed within about a day of escalation to FIFA's streaming partner and to CISA and the FBI.

Sources

  1. 1Vulnerability in FIFA's NetworkSchneier on Security
  2. 2I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.bobdahacker.com
  3. 3Access control flaw left FIFA World Cup match streams wide-openiTnews
  4. 4FIFA Bug Exposes World Cup Streams to Remote TakeoverDark Reading
Share

Read next