A public FIFA agent account gave a researcher access to production broadcast tools, live match feeds, stream keys and write controls, according to his account.
A security researcher who registered through FIFA's public agent portal says FIFA added his account to the same Microsoft Entra tenant that powered internal football data and broadcast systems for the FIFA World Cup 2026.
The account had no assigned FIFA Football Data Platform role. The web app showed an access denial page, but the backend accepted requests from the account and returned production data, according to the researcher.
The path began at agents.fifa.org, where the researcher submitted identification for the FIFA Agent Platform. After one successful registration, FIFA sent a confirmation email and placed the account inside its Entra environment.
From there, the researcher reached fdp.fifa.org, FIFA's Football Data Platform. The front end checked the token, saw no roles and displayed a denial message. The APIs did not enforce the same role check.
That gap gave the account access to the Streaming Management panel, according to the account. The panel listed FIFA World Cup 2026 matches, camera feeds, RTMP ingest URLs, preview manifests, output URLs and stream keys.
Each match showed five camera angles, including PGM, Tactical, Camera1, High Behind Left and High Behind Right. The researcher said one shared stream key covered the angles for a match.
The risk went beyond viewing data. The panel also showed start, stop and schedule controls for match streams. The researcher said he did not use those controls and did not push video to any RTMP endpoint.
A working preview manifest opened in VLC, according to the researcher. That test showed a live tactical camera feed from an active match. He closed the feed after confirming access.
The impact could have reached broadcast partners. RTMP ingest URLs feed video into streaming infrastructure before distribution to broadcasters. A person with a valid endpoint and stream key can send video into the ingest path if the service accepts the stream.
FIFA used MediaKind infrastructure for the streaming endpoints, according to the researcher. The exposed URLs pointed to MediaKind hosts in Europe.
The same account also reached other areas of FIFA's data platform, including competitions, matches, teams, tools, an exchange platform, an analysis dashboard, FIFA AI Pro, admin pages and the Commentator Information System at cis.fifa.org.
The Commentator Information System included live match dashboards, tactical views, player positions, formations, substitutions, notes and prepared facts for broadcast teams. The researcher said the account could read editorial notes and pre-match stats kits.
The platform also exposed write surfaces in match management. The account could access fields for live stats, match time, score, attendance, possession, post-match statistics, team registration statistics, tactical lineup data and event ingress details, according to the report.
That access matters because commentators and broadcast graphics teams depend on this data during matches. A bad actor who changed lineup data, kickoff timing, scores or editorial notes could affect information that reaches production teams.
The researcher also found an Azure Function app that returned metadata and direct Azure Blob Storage links for 23 internal spreadsheet files. The file names suggested transfer reports, revenue comparisons, representation data and referee or coach statistics.
FIFA had no public bug bounty program, no listed security contact and no security.txt file, according to the researcher. He sent emails to several FIFA addresses, contacted a FIFA technology executive through WhatsApp, called FIFA lines in Switzerland and called the Dallas convention center tied to the International Broadcast Centre.
MediaKind answered its support line and asked for details. The researcher also contacted CISA, which has worked on World Cup cybersecurity planning, and sent the agency the report. He said FBI contacts also responded through Signal.
By the next day, the account received server-side 403 responses. FIFA fixed the authorization failure, according to the researcher, but did not respond to his report.
The root cause fits a common security failure: the front end enforced authorization, and the backend trusted any authenticated account in the tenant. Modern identity systems can authenticate a user, but each backend still has to check roles, scopes and object access on each request.
FIFA's public agent registration created the entry point. Shared tenancy widened the blast radius. Missing API authorization turned a no-role account into a production operator.
FIFA can reduce the next incident with a public vulnerability disclosure policy, a security.txt file, a staffed security contact and server-side authorization tests across internal APIs. The larger lesson applies to any organization that connects public registration to internal identity: authentication grants identity, not permission.
Comments
Please log in or register to join the discussion