An egregious access control vulnerability in FIFA’s Microsoft Entra environment allowed an ethical hacker to gain direct control over global World Cup television streams, match management systems, and more.
Not since 1962, when USSR vice admiral Vasily Arkhipov saved the human race by refusing to consent to a nuclear missile launch, has humanity been spared such a potentially horrific fate as it was just a few days ago.
On June 14, a hacker named “BobDaHacker” discovered that the international soccer governing body’s entire online infrastructure was thinly guarded from any random hacker on the Internet. With an easily crafted fake account, they managed to reach all of the systems used to run the World Cup. If BobDaHacker had worse intentions, they could have easily blacked out the tournament for global audiences or even replaced everyone’s television streams with pornography. Instead, they invested unusual effort in responsibly reporting the issue.
Dark Reading attempted but ultimately failed to reach FIFA for comment and clarification on this story.
How to Hack the World Cup
Anyone can file to become a football agent, whether you’re a louse exploiting some South American wunderkind or Adrien Rabiot’s mother. All you have to do is submit your ID and verify your email address on the FIFA Agent Platform.
If you freely choose to do that, FIFA will create an account for you in its Microsoft Entra tenant. Evidently, it’s the same tenant that supports all of FIFA’s internal systems. BobDaHacker registered as an agent, then attempted to exploit their new account to reach FIFA’s core data platform. The response from the server was reassuring: They were denied, thanks to a lack of privileges.
Except that response was superficial. Behind the outward access-denied message, the system’s backend API had no compunction about serving up whatever access BobDaHacker wanted.
“I see this constantly,” the hacker tells Dark Reading. “Client-side authorization with no server-side enforcement is one of the most common patterns I find in my work. Big companies especially love to build a pretty Angular or React frontend that checks your roles and shows an ‘access denied’ page, and then the backend just serves everything to any authenticated user.”
The ethical hacker walked past FIFA’s client-side guardrails and reached its streaming management platform: the live production hub for all World Cup broadcasting.
Complete World Cup Broadcast Takeover
It would have been one thing if access to FIFA’s production environment merely allowed a user to watch all of the tournament’s camera feeds. Remarkably, it also came with a complete set of controls. BobDaHacker could have blacked out Cote d’Ivoire versus Ecuador midgame, or they could’ve replaced it with whatever other video they wanted.
“An attacker could have Rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match,” BobDaHacker wrote on his blog.
That was the most extreme, but far from the only consequence a malicious hacker could have wrought. The same, unprivileged football agent account granted entry into FIFA’s match management platform, from which a hacker could have adjusted scores and other match data in real time, or even changed the start time of any upcoming match.
Additionally, it granted access to FIFA’s commentary information system, where a prankster could have had fun influencing what commentators of all languages said live on the air. It also granted access to FIFA’s gametime analytics platform and its developer environment, home to files pertaining to revenues, player transfers, and more.
For anyone willing to listen, BobDaHacker emphasizes that “client-side authorization is not authorization. If your frontend is the only thing checking roles, you don’t have access control, you have a suggestion. The server has to enforce it. Every API route, every endpoint, no exceptions.”
They add that “FIFA isn’t uniquely bad here; I’ve found similar stuff at Fortune 500 companies across food and beverage, airlines, robotics, entertainment, you name it. The pattern is always the same: The frontend does the access control; the API doesn’t. What makes FIFA stand out is the severity of what was exposed, not the vulnerability itself.”
FIFA’s Own Goal
As is often the case at organizations with immature cybersecurity, BobDaHacker failed at all attempts to report the Entra vulnerability to FIFA. “The fact that FIFA has no security.txt, no vulnerability disclosure policy (VDP), no bug bounty program, and no way for a researcher to reach them at all kind of speaks for itself,” they say. “I had to call CISA and the FBI because FIFA made it impossible to report to them directly.”
Undeterred and furiously Googling in the wee hours of the morning, the hacker figured out that the Cybersecurity and Infrastructure Security Agency (CISA) is actually the federal lead for cybersecurity at the 2026 World Cup. They called CISA’s hotline and the FBI, and thanks to those authorities, the issue appeared to be fixed the following day.
Still, there’s some irony in the extent of the World Cup’s cybersecurity issues, given CISA’s support for the event. “If CISA’s partnership with FIFA included anything about vulnerability handling or incident response, it clearly didn’t trickle down to FIFA’s actual security posture,” BobDaHacker notes.
In a long statement shared with Dark Reading, CISA outlined its contributions to the 2026 World Cup, which includes cybersecurity and physical security exercises it has held for host cities and stadiums, FIFA base camps, hotels, and regional critical infrastructure. It made no reference to the security of FIFA’s digital infrastructure or the integrity of national TV broadcasts.
