FIFA World Cup TV stream vulnerable to tampering due to simple security flaw

A security researcher claims to have accessed several internal FIFA platforms due to a simple security flaw, which allowed her to watch and have full control of the TV stream of every World Cup game. The researcher, who goes by BobDaHacker, said she simply registered as a player agent on FIFA's official agent registration platform. Then, thanks to having that account and a flaw in FIFA's back-end API, which didn't check if a user actually had the proper authorization, she was able to access several internal FIFA platforms.

This included the system that allows broadcasters to control what gets displayed on people's TVs across the world, and what gets displayed on commentators' screens as they narrate the match, per the researcher. "A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup," BobDaHacker wrote in a blog post published on Tuesday.

BobDaHacker reported the flaw on Tuesday night Japan time, and FIFA fixed the issue a few hours later, without ever acknowledging the researcher's report. FIFA did not immediately respond to TechCrunch's request for comment. The vulnerability in FIFA's internal system raises concerns about the integrity of live broadcasts and the potential for malicious actors to disrupt global events.

This incident highlights the importance of robust security measures in the sports broadcasting industry, where a single flaw can have far-reaching consequences. For developers and businesses, this serves as a reminder to prioritize API security and authorization protocols to prevent similar breaches. As for consumers, it underscores the need for vigilance and awareness of potential security risks associated with live streaming.

The fact that FIFA fixed the issue without acknowledging BobDaHacker's report also raises questions about transparency and communication in the event of a security vulnerability.