IT security researcher ‘Bobdahacker’ registered on FIFA’s Agent Platform using an ID and an email address. This created an account in FIFA’s Microsoft Entra tenant, which organizes all internal platforms. Although her account had no permissions, the system only checked them client-side, not via the backend API — a rookie mistake, as the hacker notes.
This gave her access to manage the World Cup livestreams. She could have stopped live broadcasts or sent her own video content to viewers’ TV sets worldwide. According to heise.de, it is unclear whether the streams from stadium cameras were actually the data feeds that TV broadcasters use for their transmissions. Nevertheless, she had access to Teams, tools, Exchange, and admin functions, meaning she could also have manipulated editorial notes, kickoff times, and statistics.
‘Bobdahacker’ could not establish direct contact with FIFA headquarters or the companies responsible for the broadcasts. Only after contacting the US cybersecurity agency CISA and the FBI was a solution set in motion. FIFA has since closed the vulnerability and moved the Agent Platform from agent.fifa.org to a .com domain. The hacker criticizes that FIFA has not provided any feedback or thanks.
Source: t3n.de
