Security Flaw Let Researcher Seize Control Of World Cup Broadcast Feeds

Subheadline: By registering on FIFA’s agent portal and exploiting a backend API that failed to verify permissions, a white-hat hacker says she could alter live TV and commentator displays before the governing body patched the bug

A security researcher using the handle BobDaHacker says she was able to gain access to multiple internal FIFA systems and manipulate the live broadcast of World Cup matches after signing up on the organization’s agent registration site. The researcher told reporters she used that account to reach a backend application programming interface that did not enforce proper permission checks, opening doors to administrative tools normally reserved for broadcasters.

According to the account, that access included the interface broadcasters use to select camera angles, insert graphics and deliver the video stream seen by viewers worldwide, as well as the screens fed to match commentators. With the elevated privileges the researcher says she obtained, an attacker could have interrupted the feed or substituted alternate footage across all channels simultaneously.

She published a write-up about the issue on her blog and alerted FIFA late Tuesday local time in Japan. FIFA corrected the vulnerability within hours but did not publicly acknowledge the report, and did not respond to a request for comment from TechCrunch. The researcher described the window for exploitation as short but potentially destructive.

Maya Patel, a former broadcast-systems engineer now working in security consulting, said misconfigured APIs are a common weak point in modern event infrastructures. “When an endpoint accepts requests without confirming a user’s role, it hands attackers an easy route to sensitive controls,” she said. Patel recommended immediate changes including role-based access controls, stricter authentication, and comprehensive auditing to detect unusual commands.

There’s no public sign the flaw was used by malicious actors before it was fixed. Still, the episode highlights how vulnerable live sports operations can be when exposed to the internet, and underscores the need for broadcasters and rights holders to treat live-event management systems as high-risk assets.