Access Control Weakness Revealed FIFA World Cup Match Streams to Unrestricted Access

Brief Overview

• Significant access control vulnerability permitted unrestricted access to FIFA World Cup streams.
• Researcher BobDaHacker identified the flaw via FIFA’s agent registration site.
• The vulnerability granted access to stream keys, camera feeds, and match data.
• Inadequate backend verification enabled unauthorized access for any authenticated user.
• The researcher notified U.S. authorities after efforts to reach FIFA went unanswered.
• FIFA has yet to reply to the researcher but swiftly addressed the issue.

Uncovering the Flaw

An inquisitive researcher, referred to as BobDaHacker, discovered a critical access control vulnerability on one of FIFA’s public platforms. This flaw made live broadcast stream keys, camera feed access, and match statistics available to anyone who passed a straightforward identity verification process at an agent registration portal.

Technical Insights and Consequences

After finalizing registration for prospective football agents, the researcher discovered that her account was incorporated into FIFA’s Microsoft Entra tenant, the identity and access management (IAM) system for FIFA’s internal operations. The backend did not enforce role verification, allowing any authenticated member of the Entra tenant to access data. This flaw enabled BobDaHacker to reach the streaming management dashboard and Real-Time Messaging Protocol (RTMP) ingest links for all FIFA World Cup 2026 matches.

Each game utilized a singular stream key across five different camera views, including the main broadcast feed. This situation allowed potential attackers to seize all camera feeds simultaneously and disrupt live broadcasts worldwide. Additionally, the researcher’s account had access to the Commentator Information System, which included editorial comments, team information, and other vital match details.

Obstacles in Reporting

BobDaHacker encountered considerable difficulties in reporting the vulnerability, characterizing it as an “absolute nightmare” due to FIFA’s absence of a bug bounty program or designated security contacts. After unsuccessful attempts to reach out to FIFA, she informed U.S. authorities, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), and received feedback from them. Despite a quick resolution to the problem, FIFA has not acknowledged the researcher’s contributions.

Conclusion

The identification of an access control flaw in FIFA’s frameworks illustrates the crucial need for effective backend verification to avert unauthorized access. Although the issue was promptly resolved, the lack of engagement from FIFA emphasizes the necessity for improved communication channels for reporting vulnerabilities.

Question & Answer Segment