FIFA World Cup 2026 Streaming Panel Exposed via Entra Tenant Misconfig
A security researcher registered on FIFA's public agent platform and ended up with access to the live streaming management panel for the 2026 World Cup. The panel included RTMP ingest URLs, stream keys, and full start/stop controls for every match. The root cause: client-side authorization with no server-side enforcement.
The Attack Chain
The researcher registered on agents.fifa.org – a public portal for football agent licensing. Registration requires an ID photo and email verification. After three attempts (the first two failed due to poor lighting), the account was created.
FIFA's Microsoft Entra tenant (formerly Azure AD) automatically added the new user. That same tenant powers all of FIFA's internal platforms, including the Football Data Platform (fdp.fifa.org) and the Commentator Information System (cis.fifa.org).
When the researcher accessed fdp.fifa.org, the Angular frontend checked the JWT for a NO_ROLES claim and rendered an "Access Denied" page. But the backend APIs performed no role checks. The researcher bypassed the client-side guard and accessed the Streaming Management panel.
The Streaming Management Panel
The panel listed every FIFA World Cup 2026 match with five camera angles each: PGM (Program), Tactical, Camera1, High Behind Left, High Behind Right. Each camera had:
- An RTMP ingest URL (where the camera sends video)
- A preview manifest (for watching the feed)
- An output URL (HLS manifest for broadcast partners)
The RTMP ingest URLs followed the pattern:
rtmp://in-.westeurope.streaming.mediakind.com:1935/
The stream key was shared across all five cameras for a match. The researcher opened a preview manifest in VLC and confirmed it was live – an active World Cup match feed.
Full Control
The panel included start, stop, and schedule controls for every match and camera angle. An attacker could:
- Kill a live camera feed with one click
- Push arbitrary video to an RTMP ingest URL, replacing the PGM feed (the main broadcast output)
- Rickroll the entire World Cup or display any content on every TV network receiving the FIFA feed
The researcher did not test these controls.
Beyond Streaming
The NO_ROLES account also had write access to match management features:
- Update live stats (score, possession, etc.)
- Send tactical lineup data
- Adjust the official kick-off moment
- Modify editorial commentary notes published to broadcast systems
The Commentator Information System (cis.fifa.org) was also accessible, showing live scores, player positions, formations, and editorial notes prepared for broadcasters.
Exposed Dev Environment
The researcher found an Azure Function App at xxxxxxxxx-spreadsheets-api.azurewebsites.net that returned metadata and direct Azure Blob Storage download URLs for 23 internal FIFA files, including transfer reports, revenue comparisons, and referee statistics.
Reporting Nightmare
FIFA has no bug bounty program, no security.txt, and no published security contact. The researcher spent hours calling:
- FIFA HQ (closed, it was Sunday evening in Zurich)
- MediaKind (answered, understood, asked for details)
- HBS (hung up, then no answer)
- CISA (answered, asked for details)
- FBI contacts on Signal (responded)
The vulnerability was fixed by the next morning – the server now returns 403 for NO_ROLES accounts. FIFA never responded to the researcher.
The Root Cause
The entire breach came down to client-side authorization with no server-side enforcement. The frontend checked JWT roles and hid UI elements, but the backend trusted any authenticated tenant member. This pattern affected at least fdp.fifa.org, cis.fifa.org, and the dev API.
What Developers Should Do
- Always enforce authorization on the server side. Never trust client-side checks.
- Use separate Entra tenants for internal and external applications, or implement proper role validation middleware.
- Add a
security.txtfile to your domain. It's 2026. - Test your authorization logic with a low-privilege account that has no roles assigned.
