Security researcher known as Bob the Hacker said he found a major access-control failure in FIFA systems that could have exposed the 2026 World Cup’s broadcast infrastructure. He reported the issue on his blog on Monday, saying it was discovered through FIFA’s official player agents portal.
According to the report, anyone could register for the service with a standard ID and automatically receive privileges inside FIFA’s corporate cloud environment, Microsoft Entra. The problem was that while the user-facing FIFA websites showed “access denied” screens, the backend API servers did not properly check permissions on the server side, allowing full access to the World Cup production control panel.
That control panel reportedly managed every camera, camera angle and live feed from stadiums. In theory, the researcher said, an attacker could have replaced an official match broadcast with other material, including gaming videos or abusive content, and pushed it to television screens of global broadcasters. He also found access to real-time statistics systems, commentators’ notes and internal corporate databases, which could have been abused by bookmakers.
The article says FIFA does not have even a basic security disclosure policy, unlike major Silicon Valley companies that run bug-bounty programs. As a result, the researcher had to spend a long night calling international law enforcement and intelligence agencies before anyone took the report seriously. FIFA eventually closed the flaw after his contact, but the organization has not commented publicly, underscoring the security gap created by the industry’s shift to IP-based streaming systems such as RTMP and HLS.
