Sports

Security flaw exposed FIFA systems that could hijack World Cup streams

A researcher found a path from FIFA’s agent portal to controls over World Cup camera feeds, exposing how one flaw could have disrupted live broadcasts.

Lisa Park··2 min read
Published
Listen to this article0:00 min
Security flaw exposed FIFA systems that could hijack World Cup streams
Source: TechCrunch

A single authentication failure inside FIFA’s online systems opened a path from a licensed-agent portal to a streaming panel with the power to start, stop and schedule World Cup feeds. The researcher, who uses the handle Bobdahacker, said the breach could have let an attacker hijack the broadcast chain for every match and every camera angle, turning a hidden backend flaw into a global live-TV crisis.

Bobdahacker said the issue began on fdp.fifa.org, where FIFA’s front end rejected her new Microsoft Entra identity but the backend APIs still served whatever she requested. From there, she reached internal FIFA systems, including a streaming management panel tied to live World Cup camera feeds. She said each camera had an RTMP ingest URL with a stream key appended, and the same key was used for all five video feeds, creating a path for an attacker to push outside video into the broadcast. In her account, the route ran from stadium cameras into FIFA’s broadcast chain, then to MediaKind and onward to broadcast partners and viewers’ televisions.

AI-generated illustration
AI-generated illustration

The scale of the exposure matters because FIFA’s media operation sits on infrastructure built for massive traffic and low tolerance for error. MediaKind says its MK.IO platform is designed for ultra-low-latency 4K HDR streaming, scales in real time, and supports thousands of live events and billions of streams each year. MediaKind also said it supported DAZN’s global streaming of the FIFA Club World Cup 2025, which included 32 clubs, 63 matches across 12 U.S. stadiums and distribution to hundreds of millions of viewers in more than 200 markets. A compromise of FIFA’s internal controls during a live World Cup match could have meant far more than a technical hiccup: it could have interrupted coverage, broken advertiser inventory and damaged trust in one of sport’s most watched events.

Related photo
Source: bobdahacker.com

Bobdahacker said she was unable to reach FIFA directly, but notified MediaKind, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI. She said the vulnerability was patched by the next morning. FIFA did not respond to a request for comment. She also urged FIFA to publish a security.txt file so researchers have a clear reporting path for bugs before attackers can find them first.

Related stock photo
Photo by AN Nhol

The episode landed as officials and security researchers were already warning that the 2026 World Cup faces a wider threat environment. In February 2026, lawmakers heard that funding cuts, fragmented intelligence sharing and cybersecurity gaps were straining preparations. On June 5, 2026, researchers and the FBI warned that World Cup scams were already spreading online, with more than 4,300 fraudulent FIFA domains registered since August 2025 and more than 150 million ticket requests in the first 15 days. With 48 teams, 104 matches and 16 host cities across the United States, Canada and Mexico, the tournament’s scale leaves no room for fragile systems.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More in Sports