BobDaHacker Finds FIFA World Cup API Flaw Allowing Unauthorized Control Of Broadcast Streams

A security researcher identified a critical vulnerability in FIFA’s systems that, according to TechCrunch, allowed unauthorized access to internal platforms including the control system for World Cup broadcasts.

“FIFA security flaw allowed unauthorized access to TV stream control for World Cup matches A security researcher discovered she could have hijacked the broadcast feed of every World Cup game through a vulnerability in FIFA's internal systems”

Crypto Briefing

The researcher, who goes by BobDaHacker, said she registered as a player agent on FIFA’s official agent registration platform and then used a flaw in FIFA’s back-end API that didn’t check whether a user had proper authorization.

Crypto Briefing

TechCrunch reported that the compromised system could let an attacker control what gets displayed on people’s TVs across the world and on commentators’ screens as they narrate the match.

In the account published by SC Media, BobDaHacker said the flaw could allow a single attacker to hijack all cameras simultaneously or manipulate on-screen content globally, and FIFA addressed the issue within hours.

Crypto Briefing added that the vulnerability could have allowed her to take control of the television broadcast stream of every World Cup match, with the tournament running through July 19.

TechCrunch quoted BobDaHacker writing in a blog post that “A single attacker could hijack every camera simultaneously,” describing the scale of what the flaw could enable.

In the same TechCrunch report, BobDaHacker also wrote, “An attacker could have rickrolled the entire FIFA World Cup,” framing the risk as both disruptive and content-changing.

Korben

SC Media said BobDaHacker reported the vulnerability on Tuesday and that FIFA addressed the issue within hours, while noting FIFA has not publicly acknowledged the report.

Crypto Briefing said FIFA has not publicly confirmed any impact from the vulnerability and has not detailed what remediation steps it has taken.

Zamin.uz further stated that FIFA officials responded quickly and fixed the error within a few hours, but that FIFA had not officially acknowledged the report and had not expressed gratitude to the cybersecurity specialist.

While the FIFA internal-system flaw was disclosed as the 2026 World Cup got underway on June 11 across 16 host cities in the US, Canada, and Mexico, Newsweek described a separate security hurdle for Uruguay’s men’s team when arriving in Miami for their opening match.

“The Uruguay men’s team appeared to face another security hurdle when arriving in Miami for their opening match of the FIFA World Cup, having already had their flight from Mexico to the U”

Newsweek

Newsweek reported that a video on social media purported to show the team held outside their bus as security officers and sniffer dogs inspected luggage, with the players preparing to take on Saudi Arabia at Miami Stadium.

Newsweek said the Uruguay squad went on to draw 1-1 against Saudi Arabia on Monday, after a flight from Mexico to the U.S. was severely delayed by apparent paperwork issues involving a FIFA-provided flight lacking the required paperwork.

In the same Newsweek account, the Miami-Dade Sheriff’s Office said a “strictly enforced” drone ban is in effect around the stadium on match days, with the Federal Bureau of Investigation (FBI) assisting in investigations into violations both there and at other venues.

Crypto Briefing warned that the more immediate risk for fans interacting with World Cup-connected digital products over the next month included fake streaming applications and malicious domains that could siphon financial credentials, even as it distinguished those external threats from internal vulnerabilities that threaten the integrity of the event itself.