A security researcher publishing under the handle BobDaHacker disclosed on June 16 that they had discovered a critical broken access control vulnerability in FIFA’s Football Data Platform (fdp.fifa.org) while the World Cup 2026 was underway. The attack required only registering on FIFA’s public football agent portal (agents.fifa.org) and submitting a government ID — completing registration adds the account to FIFA’s Microsoft Entra tenant, which is shared across all internal FIFA platforms. The Angular frontends checked the resulting JWT token for role claims and correctly displayed an “access denied” page; however, the backend APIs performed no role verification and served all data to any authenticated tenant member. Using this path, the researcher reached the Streaming Management panel, which listed every World Cup match with RTMP ingest URLs and stream keys for five camera angles per match — PGM (main programme), Tactical, Camera 1, High Behind Left, and High Behind Right — hosted on FIFA’s production streaming infrastructure via MediaKind. The researcher confirmed the preview manifests were live by loading one in VLC, then closed it immediately. The panel also exposed start, stop, and schedule controls for every active feed; the researcher states they did not interact with any stream controls or push video to any RTMP endpoint. Additional access included the Commentator Information System (cis.fifa.org), the complete live match analytics dashboard with write access to scores, statistics, kick-off times, and tactical lineups, and an Azure dev environment exposing 23 internal FIFA spreadsheets via unauthenticated blob storage URLs.
The disclosure process was, by the researcher’s account, a multi-hour ordeal: FIFA has no published security.txt, no vulnerability disclosure policy, and no bug bounty program, and after emails to more than ten FIFA addresses bounced or went unanswered, the researcher placed calls to FIFA’s Zurich headquarters, its Dallas broadcast centre, host broadcast partner HBS, and eventually reached MediaKind’s support line, which understood the issue and accepted a full report. CISA — which holds the federal cybersecurity lead role for the World Cup 2026, including broadcast systems — was also called on its 24/7 line and received the report, and existing FBI contacts were messaged via Signal. The vulnerability was patched before the following morning; server-side 403 responses now enforce role checks. FIFA has not responded to the researcher in any form, though it did leave their account on the official match document distribution list, from which they continue to receive Start Lists, Tactical Lineups, and Full Time Match Reports.