CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

FIFA Bug Exposes World Cup Streams to Remote Takeover

Dark Reading Archived Jun 18, 2026 ✓ Full text saved

A hacker could have "Rickrolled" the World Cup — or worse — thanks to FIFA's unenforced Entra access controls.

Full text archived locally
✦ AI Summary · Claude Sonnet


    APPLICATION SECURITY СLOUD SECURITY VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES NEWS FIFA Bug Exposes World Cup Streams to Remote Takeover A hacker could have "Rickrolled" the World Cup — or worse — thanks to FIFA's unenforced Entra access controls. Nate Nelson,Contributing Writer June 18, 2026 5 Min Read SOURCE: JASPER JUINEN / STRINGER VIA GETTY IMAGES An egregious access control vulnerability in FIFA's Microsoft Entra environment allowed an ethical hacker to gain direct control over global World Cup television streams, match management systems, and more. Not since 1962, when USSR vice admiral Vasily Arkhipov saved the human race by refusing to consent to a nuclear missile launch, has humanity been spared such a potentially horrific fate as it was just a few days ago. On June 14, a hacker named "BobDaHacker" discovered that the international soccer governing body's entire online infrastructure was thinly guarded from any random hacker on the Internet. With an easily crafted fake account, they managed to reach all of the systems used to run the World Cup. If BobDaHacker had worse intentions, they could have easily blacked out the tournament for global audiences or even replaced everyone's television streams with pornography. Instead, they invested unusual effort in responsibly reporting the issue. Related:Copilot 'SearchLeak' Attack Allows 1-Click Data Theft Dark Reading attempted but ultimately failed to reach FIFA for comment and clarification on this story. How to Hack the World Cup Anyone can file to become a football agent, whether you're a louse exploiting some South American wunderkind or Adrien Rabiot's mother. All you have to do is submit your ID and verify your email address on the FIFA Agent Platform. If you freely choose to do that, FIFA will create an account for you in its Microsoft Entra tenant. Evidently, it's the same tenant that supports all of FIFA's internal systems. BobDaHacker registered as an agent, then attempted to exploit their new account to reach FIFA's core data platform. The response from the server was reassuring: They were denied, thanks to a lack of privileges. Except that response was superficial. Behind the outward access-denied message, the system's backend API had no compunction about serving up whatever access BobDaHacker wanted. "I see this constantly," the hacker tells Dark Reading. "Client-side authorization with no server-side enforcement is one of the most common patterns I find in my work. Big companies especially love to build a pretty Angular or React frontend that checks your roles and shows an 'access denied' page, and then the backend just serves everything to any authenticated user." The ethical hacker walked past FIFA's client-side guardrails and reached its streaming management platform: the live production hub for all World Cup broadcasting. Complete World Cup Broadcast Takeover It would have been one thing if access to FIFA's production environment merely allowed a user to watch all of the tournament's camera feeds. Remarkably, it also came with a complete set of controls. BobDaHacker could have blacked out Cote d'Ivoire versus Ecuador midgame, or they could've replaced it with whatever other video they wanted. Related:Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories "An attacker could have Rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match," BobDaHacker wrote on his blog. That was the most extreme, but far from the only consequence a malicious hacker could have wrought. The same, unprivileged football agent account granted entry into FIFA's match management platform, from which a hacker could have adjusted scores and other match data in real time, or even changed the start time of any upcoming match.  Additionally, it granted access to FIFA's commentary information system, where a prankster could have had fun influencing what commentators of all languages said live on the air. It also granted access to FIFA's gametime analytics platform and its developer environment, home to files pertaining to revenues, player transfers, and more. For anyone willing to listen, BobDaHacker emphasizes that "client-side authorization is not authorization. If your frontend is the only thing checking roles, you don't have access control, you have a suggestion. The server has to enforce it. Every API route, every endpoint, no exceptions." Related:'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud They add that "FIFA isn't uniquely bad here; I've found similar stuff at Fortune 500 companies across food and beverage, airlines, robotics, entertainment, you name it. The pattern is always the same: The frontend does the access control; the API doesn't. What makes FIFA stand out is the severity of what was exposed, not the vulnerability itself." FIFA's Own Goal As is often the case at organizations with immature cybersecurity, BobDaHacker failed at all attempts to report the Entra vulnerability to FIFA. "The fact that FIFA has no security.txt, no vulnerability disclosure policy (VDP), no bug bounty program, and no way for a researcher to reach them at all kind of speaks for itself," they say. "I had to call CISA and the FBI because FIFA made it impossible to report to them directly." Undeterred and furiously Googling in the wee hours of the morning, the hacker figured out that the Cybersecurity and Infrastructure Security Agency (CISA) is actually the federal lead for cybersecurity at the 2026 World Cup. They called CISA's hotline and the FBI, and thanks to those authorities, the issue appeared to be fixed the following day. Still, there's some irony in the extent of the World Cup's cybersecurity issues, given CISA's support for the event. "If CISA's partnership with FIFA included anything about vulnerability handling or incident response, it clearly didn't trickle down to FIFA's actual security posture," BobDaHacker notes. In a long statement shared with Dark Reading, CISA outlined its contributions to the 2026 World Cup, which includes cybersecurity and physical security exercises it has held for host cities and stadiums, FIFA base camps, hotels, and regional critical infrastructure. It made no reference to the security of FIFA's digital infrastructure or the integrity of national TV broadcasts. About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan, Contributing Writer FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗