Registered on FIFA's public Agent Platform with my ID, got added to their Microsoft Entra tenant, and found the Angular app only checked roles client-side. The backend APIs served everything: RTMP ingest URLs and stream keys for every live World Cup 2026 camera feed across all five angles. Confirmed live in VLC. An attacker could have pushed arbitrary video to the ingest endpoints and replaced broadcast feeds on TV worldwide. Write access to match stats, commentator notes, and the live score system was also exposed.

How could that possibly, ever have made it through. Every single API for every single service didn't check the JWT?

Really amusing to read this one. I did something similar for Qatar 2022 and got access to roster submission (https://zachholman.com/posts/hacking-fifa). To their credit they patched it pretty quickly, but their promised "token of appreciation" never came. (Although on the other hand, they didn't sue me, so I guess that's a win.)

Awesome read! Congratulations on discovering this and reporting. Hope you get something back from FIFA. This could've lead to some huge disaster if it failed under the wrong hands.

Love your writing skills as well!

> I closed it immediately. But the damage was done (to my brain).

Laughed so hard when I read this one :D

Holy crap. Had to pick my jaw up off the floor. I hope you get some kind of acknowledgement or bounty for this. Kudos for having the willpower to resist sending a message to millions of people and sparking a global phenomenon!

> Replace that, and every TV network receiving the FIFA feed shows whatever you pushed.

Holy shit, Rickrolling is among the more harmless things you could have done with that.

Great article! You must be pretty confident to click the "stop streaming" button without knowing whether a confirmation modal will pop up or not

Clearly a big f-up by FIFA on what looks like quite a tidy platform otherwise.

One question though, how do you know your feed would kick off the 'real' feed if you pushed to RTMP, does it just take the most recent connection as live? Does the protocol have a mechanism for dealing with multiple people pushing to the same endpoint? There maybe more checking on that endpoint and if course I'm sure most live broadcasters would have a live director to cut any feeds at their end if a dodgy feed popped up too.

A huge vulnerability nonetheless and a great write up!

Please stop using AI to write for you, it ruins what is otherwise a fascinating story, and on reflection I struggle to trust it.

If you used AI to generate the blog post, did you use AI to generate the screenshots and story?