World Cup 2026 Bug Exposed World Cup Camera Feeds, Stream Keys
A white-hat hacker discovered a fixed authorization flaw in a FIFA World Cup 2026 platform that allowed users to access a World Cup camera feed and other resources.
See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?
The hacker, who goes by “Bobdahacker,” said the discovery began while exploring a platform maintained by the international soccer governing body for registering as a licensed agent. A successful registration meant being added to the association’s Microsoft Entra instance – which led Bobdahacker to accessing the streaming management panel.
“An attacker could have rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match.”
According to the researcher’s account, attempts to reach FIFA to report the web flaw were unsuccessful but she was able to notify MediaKind, FIFA’s streaming technology partner, as well as the U.S. Cybersecurity and Infrastructure Security Agency and the FBI.
“Sometime between my reports and the next morning, the vulnerability was patched,” Bobdahacker wrote. “Get a security.txt file. Seriously. It’s 2026,” she added, referring to a standardized file giving researchers directions for reporting security problems. FIFA did not respond to a request for comment.
The issue stemmed from an authentication failure on fdp.fifa.org, the association’s data platform. The system correctly rejected Bobdahacker’s new Entra ID as lacking authorization for the site, but the access control was all client-side – meaning that the backend APIs “just served whatever you asked for.”
That led her to the streaming management panel, a production site controlling stadium video cameras in live matches. “It wasn’t just read access. The Streaming Management panel had full controls. Start, stop, schedule. For every match. Every camera angle,” she wrote.
Each camera had a URL for sending video streams over real-time messaging protocol with a stream key appended at the end – the same key, for each of the five video feeds. That meant that an attacker could have pushed any video with the stream key, overriding the soccer match. “Those RTMP ingest URLs are the literal pipe from the stadium cameras to FIFA’s broadcast distribution chain. Camera -> RTMP ingest -> MediaKind -> broadcast partners -> your TV,” she wrote.
Bobdahacker also found she could access other internal FIFA websites including a tracker capturing play metrics such as ball recovery timing and distance covered. Also accessible was a dashboard with live scores, upcoming matches and results, and a match management site through which an attacker could have changed the match time and scores.
“Client-side authorization is not authorization. Every intern learns this,” Bobdahacker concluded (see: McFlaw: Hacker Breaches McDonald’s Portal With URL Trick).
Click Here For The Original Source.
