A major security vulnerability in internal systems used by football’s global governing body FIFA reportedly exposed tools that could have allowed unauthorized access to live World Cup broadcast controls, according to a security researcher.
The researcher, known online as “BobDaHacker,” claimed she discovered the flaw after registering as a player agent on FIFA’s official agent registration platform. That account allegedly provided access to internal systems due to an API security issue that failed to properly verify user permissions.
Broadcaster controls potentially exposed
According to the researcher, the vulnerability could have granted access to systems used by broadcasters to manage live World Cup feeds — including what appears on television screens worldwide and the visual data displayed to commentators during matches.
In a public blog post, she warned that a malicious actor could potentially manipulate multiple broadcast camera feeds simultaneously.
“A single attacker could hijack every camera simultaneously,” she wrote, adding that the system was so exposed it could theoretically allow someone to “rickroll the entire FIFA World Cup.”
Rapid fix after disclosure
The researcher said the vulnerability was reported late Tuesday (Japan time), after which FIFA reportedly patched the issue within hours.
However, she noted that the organization did not publicly acknowledge her disclosure at the time of reporting.
FIFA has not yet responded to media requests for comment regarding the incident.
Security concerns raised
The case has raised fresh concerns about cybersecurity practices in major sports organizations, particularly those managing globally televised events with critical infrastructure and high-profile audiences.
Experts say such API-level authentication failures can pose significant risks if exploited, especially in systems connected to live broadcasting and media distribution.
.jpg)
