A security researcher known as “Bob the Hacker” has claimed he uncovered a serious flaw in FIFA’s systems that allegedly could have exposed some of the most sensitive broadcast infrastructure for the 2026 World Cup, including production dashboards, cameras and real-time match data.
According to the researcher, the vulnerability stemmed from FIFA’s official player agents portal. He said any user could register for the service with a standard ID document and automatically receive permissions inside FIFA’s corporate cloud environment, based on Microsoft Entra.
2 View gallery
Real-time dashboard used by broadcast teams and commentators during live matches
(Photo: Screenshot)
The claim, if accurate, points to a basic access-control failure at the heart of one of the world’s most complex sports broadcasting operations.
Full access to World Cup control systems
According to the researcher’s blog post, user-facing FIFA websites displayed “access denied” screens when he attempted to reach restricted areas. But the back-end API servers allegedly did not enforce the same permission checks on the server side. The result, he said, was unscreened access to a World Cup production dashboard.
The researcher claimed the system included direct access to tools used to manage cameras, broadcast angles and live feeds from stadiums. In theory, he said, such access could have allowed an attacker to replace an official match feed with unrelated or offensive content sent toward global broadcast networks.
The alleged exposure went beyond live video. The researcher said he was also able to access real-time statistics systems, commentator notes and internal corporate databases. Such information could have carried commercial value, including for betting markets, if exploited before being secured.
Where was FIFA’s security process?
The researcher said FIFA did not appear to have a basic vulnerability disclosure process, forcing him to make urgent late-night calls to international law enforcement and intelligence agencies in an effort to get the report taken seriously.
The episode highlights a growing risk in modern sports broadcasting. Major live events are no longer protected mainly by isolated analog satellite systems. They now rely heavily on IP networks, cloud environments and streaming protocols, including RTMP and HLS.
That shift has made the broadcast supply chain more flexible and efficient, but also more exposed. A single authentication mistake, misconfigured API or weak permissions model can create a broad attack surface across systems that control what billions of viewers may see.
Similar streaming and broadcast disruptions in recent years have shown how vulnerable digital infrastructure can become when core distribution systems move from physical equipment to software-based networks.
FIFA reportedly closed the flaw after the researcher’s warnings. But the organization’s silence afterward, according to the account, suggests global sports institutions still have a long way to go in building transparent and mature cybersecurity procedures.
The gap is increasingly difficult to ignore. Sports bodies can now deliver 8K broadcasts and real-time data to audiences worldwide, yet their digital operations may still depend on basic access controls that, if poorly designed, can expose the front door of the organization.
For an event the size of the World Cup, that kind of failure is not just a technical problem. It is a reputational, operational and commercial risk that could affect broadcasters, sponsors, betting markets and fans around the world.