A basic security flaw allowed a security researcher to access FIFA's internal systems and the ability to monitor World Cup television broadcasts.

Researcher “BobDaHacker” found a flaw in the FIFA API that allowed anyone to hijack live TV streams and commentator comments.
The error was due to a lack of authorization checks; FIFA patched quickly but did not give credit to the search engine
Experts warn that it highlights CWE-602 and the danger of confusing authentication with authorization

A bug in an internal FIFA system allowed anyone to modify what is broadcast to television broadcasters and what is broadcast to TV commentators calling the 2026 FIFA World Cup matches. Fortunately for everyone, the bug was discovered by a white hat hacker and fixed before malicious actors could exploit it.

A security researcher with the alias BobDaHacker recently reported that he could take full control over the television broadcast. They did this by registering as a player agent on FIFA’s official agent registration platform and then abusing a vulnerability in FIFA’s back-end API to access multiple internal platforms.

The vulnerability was that the API did not verify that accounts had proper authorization and, as a result, could control what people would see on their TVs during matches, as well as what commentators would see on their monitors.

Authentication is not authorization.

“A single attacker could hijack all the cameras simultaneously. One attacker could have ruined the entire FIFA World Cup,” said BobDaHacker. We might have also witnessed a “Dark Knight Rises” moment.

For Brett Winterford, vice president of Okta Threat Intelligence, FIFA dodged an important bullet today: “The average live global audience for a FIFA World Cup match is 175 million viewers. Imagine that a person with the worst motivations discovers a bug that allows him to modify that live broadcast.”

“That bug happened. Fortunately, a security researcher found it first.” However, not everyone seems to be so grateful. According TechCrunchFIFA issued a fix just hours after BobDaHacker reported it, but did not credit them for their work.

Winterford believes the bug is another example of CWE-602: Client-Side Enforcement of Server-Side Security.

“It’s also another good reminder for developers: don’t treat authentication as authorization. Authentication is about verifying that a user is who they say they are, authorization is about what the user can access.”