A security researcher found a FIFA World Cup security flaw that gave any logged-in user the ability to control live TV streams and commentator feeds during 2026 World Cup matches. FIFA patched the bug within hours of receiving the report, but did not publicly credit the person who found it.
The researcher, working under the alias BobDaHacker, gained initial access by registering as a player agent on FIFA’s official agent registration portal. From there, they exploited a vulnerability in FIFA’s back-end API to reach multiple internal platforms, including broadcast control systems that determine what goes to TV broadcasters and what commentators see on their monitors during live matches. The API imposed no further access restrictions once a user was logged in.
“A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup,” BobDaHacker said.
What the FIFA World Cup security flaw made possible
The FIFA World Cup security flaw came down to a missing authorization check. The API verified that a user had an account (authentication) but never checked what that account was permitted to access. Anyone who created a legitimate player agent registration could therefore reach back-end controls normally restricted to internal broadcast staff.
Brett Winterford, Vice President at Okta Threat Intelligence, described how severe the exposure could have been. “The average global live audience of a FIFA World Cup match is 175 million viewers. Imagine a person with the worst motivations discovers a bug that enables them to modify that livestream,” he said. “That bug happened. Thankfully a security researcher found it first.”
Authentication is not authorization
Security professionals categorize this type of bug under CWE-602: Client-Side Enforcement of Server-Side Security. The classification describes systems that rely on client-side checks that a determined attacker can bypass, rather than enforcing restrictions at the server level.
Winterford described the incident as a reminder that authentication and authorization are separate problems that developers must solve independently. Authentication confirms who a user is. Authorization determines what that user can do inside a system. Treating them as interchangeable, or implementing only one, creates an opening that requires little technical sophistication to exploit.
FIFA’s response and the credit dispute
FIFA issued a fix within hours of BobDaHacker’s report, a fast turnaround by industry standards. However, according to TechCrunch, the organization did not publicly acknowledge the researcher’s contribution. That omission is common in cases where organizations have no formal bug bounty program or responsible disclosure policy, but it leaves researchers in an awkward position. Reporting a vulnerability responsibly carries real personal cost, including legal risk in some jurisdictions, with no guarantee of recognition or reward.
No evidence has emerged that any malicious actor found or exploited the vulnerability before FIFA closed it.