How One Hacker Nearly Took Over Every FIFA World Cup Stream

Introduction

On June 14, 2026, a researcher signed up as a football agent on FIFA’s public portal. Minutes later they could reach the panel that runs every World Cup television stream worldwide. No malware. No zero day. Just a free account and a server that trusted the wrong thing.

What Happened 

A hacker who goes by BobDaHacker registered on the FIFA Agent Platform using only an ID and an email. FIFA created an account for them inside its Microsoft Entra tenant. That same tenant ran FIFA’s internal systems. The account had no real permissions, yet it opened doors that should have stayed locked.

The apps showed an access denied page in the browser. That message was for show. The servers behind the apps never checked permissions at all. They handed over data and controls to any logged in user who asked.

Why The Access Denied Message Lied 

The front end did the role checking. The backend did not. The researcher put it plainly: if your frontend is the only thing checking roles, you do not have access control, you have a suggestion. The server has to enforce it on every route, with no exceptions.

How Far The Access Went 

The agent account reached FIFA’s Streaming Management panel, the live hub for all World Cup broadcasting. Every match, every camera angle, every stream key sat right there.

The researcher said an attacker could have blacked out a live match or replaced the world feed with anything they wanted on every TV network during play. The same account also reached the match management system, where scores and start times could be changed in real time. It touched the commentary system, the analytics platform, and a developer environment holding files on revenue and player transfers.

The Researcher Chose To Report It 

BobDaHacker did not abuse the access. They tried to warn FIFA, but FIFA had no security contact, no disclosure policy, and no bug bounty. The researcher had to call CISA and the FBI to get the issue in front of the right people. It was fixed the next day.

Why Scanners Miss This 

This flaw is called broken access control. It sits at the top of the OWASP list of web risks, and it is nearly invisible to traditional scanners. Nothing crashes. The app looks like it is working perfectly. The server simply trusts the client to enforce permissions, and it does not.

You will not catch this with a signature or a CVE feed. You catch it by testing access the way an attacker would. You log in as one user, request another user’s data, and watch what comes back. Then you prove the gap is real instead of guessing.

This Is Not Just A FIFA Problem 

The researcher said they find the same pattern at large companies across many industries. A polished frontend checks roles and shows a denied page, while the API serves everything to anyone logged in. FIFA stood out for what was exposed, not for the flaw itself.

Every Teammate proves its work and keeps a human in the loop on the decisions that matter. The World Cup story ended well because one researcher made calls at 3am to reach the right people. Your security should not depend on luck like that. Book a 15 minute demo at secure.com.