FIFA Bug Exposes World Cup Streams to Remote Takeover
Dark ReadingArchived Jun 18, 2026✓ Full text saved
A hacker could have "Rickrolled" the World Cup — or worse — thanks to FIFA's unenforced Entra access controls.
Full text archived locally
✦ AI Summary· Claude Sonnet
APPLICATION SECURITY
СLOUD SECURITY
VULNERABILITIES & THREATS
CYBERATTACKS & DATA BREACHES
NEWS
FIFA Bug Exposes World Cup Streams to Remote Takeover
A hacker could have "Rickrolled" the World Cup — or worse — thanks to FIFA's unenforced Entra access controls.
Nate Nelson,Contributing Writer
June 18, 2026
5 Min Read
SOURCE: JASPER JUINEN / STRINGER VIA GETTY IMAGES
An egregious access control vulnerability in FIFA's Microsoft Entra environment allowed an ethical hacker to gain direct control over global World Cup television streams, match management systems, and more.
Not since 1962, when USSR vice admiral Vasily Arkhipov saved the human race by refusing to consent to a nuclear missile launch, has humanity been spared such a potentially horrific fate as it was just a few days ago.
On June 14, a hacker named "BobDaHacker" discovered that the international soccer governing body's entire online infrastructure was thinly guarded from any random hacker on the Internet. With an easily crafted fake account, they managed to reach all of the systems used to run the World Cup. If BobDaHacker had worse intentions, they could have easily blacked out the tournament for global audiences or even replaced everyone's television streams with pornography. Instead, they invested unusual effort in responsibly reporting the issue.
Related:Copilot 'SearchLeak' Attack Allows 1-Click Data Theft
Dark Reading attempted but ultimately failed to reach FIFA for comment and clarification on this story.
How to Hack the World Cup
Anyone can file to become a football agent, whether you're a louse exploiting some South American wunderkind or Adrien Rabiot's mother. All you have to do is submit your ID and verify your email address on the FIFA Agent Platform.
If you freely choose to do that, FIFA will create an account for you in its Microsoft Entra tenant. Evidently, it's the same tenant that supports all of FIFA's internal systems. BobDaHacker registered as an agent, then attempted to exploit their new account to reach FIFA's core data platform. The response from the server was reassuring: They were denied, thanks to a lack of privileges.
Except that response was superficial. Behind the outward access-denied message, the system's backend API had no compunction about serving up whatever access BobDaHacker wanted.
"I see this constantly," the hacker tells Dark Reading. "Client-side authorization with no server-side enforcement is one of the most common patterns I find in my work. Big companies especially love to build a pretty Angular or React frontend that checks your roles and shows an 'access denied' page, and then the backend just serves everything to any authenticated user."
The ethical hacker walked past FIFA's client-side guardrails and reached its streaming management platform: the live production hub for all World Cup broadcasting.
Complete World Cup Broadcast Takeover
It would have been one thing if access to FIFA's production environment merely allowed a user to watch all of the tournament's camera feeds. Remarkably, it also came with a complete set of controls. BobDaHacker could have blacked out Cote d'Ivoire versus Ecuador midgame, or they could've replaced it with whatever other video they wanted.
Related:Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories
"An attacker could have Rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match," BobDaHacker wrote on his blog.
That was the most extreme, but far from the only consequence a malicious hacker could have wrought. The same, unprivileged football agent account granted entry into FIFA's match management platform, from which a hacker could have adjusted scores and other match data in real time, or even changed the start time of any upcoming match.
Additionally, it granted access to FIFA's commentary information system, where a prankster could have had fun influencing what commentators of all languages said live on the air. It also granted access to FIFA's gametime analytics platform and its developer environment, home to files pertaining to revenues, player transfers, and more.
For anyone willing to listen, BobDaHacker emphasizes that "client-side authorization is not authorization. If your frontend is the only thing checking roles, you don't have access control, you have a suggestion. The server has to enforce it. Every API route, every endpoint, no exceptions."
Related:'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud
They add that "FIFA isn't uniquely bad here; I've found similar stuff at Fortune 500 companies across food and beverage, airlines, robotics, entertainment, you name it. The pattern is always the same: The frontend does the access control; the API doesn't. What makes FIFA stand out is the severity of what was exposed, not the vulnerability itself."
FIFA's Own Goal
As is often the case at organizations with immature cybersecurity, BobDaHacker failed at all attempts to report the Entra vulnerability to FIFA. "The fact that FIFA has no security.txt, no vulnerability disclosure policy (VDP), no bug bounty program, and no way for a researcher to reach them at all kind of speaks for itself," they say. "I had to call CISA and the FBI because FIFA made it impossible to report to them directly."
Undeterred and furiously Googling in the wee hours of the morning, the hacker figured out that the Cybersecurity and Infrastructure Security Agency (CISA) is actually the federal lead for cybersecurity at the 2026 World Cup. They called CISA's hotline and the FBI, and thanks to those authorities, the issue appeared to be fixed the following day.
Still, there's some irony in the extent of the World Cup's cybersecurity issues, given CISA's support for the event. "If CISA's partnership with FIFA included anything about vulnerability handling or incident response, it clearly didn't trickle down to FIFA's actual security posture," BobDaHacker notes.
In a long statement shared with Dark Reading, CISA outlined its contributions to the 2026 World Cup, which includes cybersecurity and physical security exercises it has held for host cities and stadiums, FIFA base camps, hotels, and regional critical infrastructure. It made no reference to the security of FIFA's digital infrastructure or the integrity of national TV broadcasts.
About the Author
Nate Nelson
Contributing Writer
Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.
He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.
He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
APPLICATION SECURITY
Supply Chain Attack Secretly Installs OpenClaw for Cline Users
by Rob Wright
FEB 19, 2026
APPLICATION SECURITY
Chinese Hackers Hijack Notepad++ Updates for 6 Months
by Jai Vijayan, Contributing Writer
FEB 02, 2026
APPLICATION SECURITY
Trump Administration Rescinds Biden-Era Software Guidance
by Alexander Culafi
JAN 29, 2026
APPLICATION SECURITY
Microsoft Fixes Exploited Zero Day in Light Patch Tuesday
by Jai Vijayan, Contributing Writer
DEC 09, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS