FIFA's World Cup streams just suffered a major security lapse
What's the story
A major security vulnerability in FIFA's internal system has been uncovered by a researcher. The flaw, which stemmed from a lack of proper authorization checks in FIFA's back-end API, allowed the researcher to gain access to multiple internal platforms of the organization. The researcher, who goes by the pseudonym BobDaHacker, discovered that they could even watch and control live TV streams for all World Cup matches.
Exploit details
Researcher accessed FIFA's internal systems
The researcher exploited the vulnerability by simply signing up as a player agent on FIFA's official agent registration platform. This account, combined with the back-end API flaw, gave them access to several internal FIFA platforms. Among these was a system that lets broadcasters control what appears on TVs around the world and what commentators see while narrating matches.
Security risk
Vulnerability could have been exploited to hijack broadcasts
The vulnerability posed a major security risk as it could have been exploited by a single attacker to hijack every camera at once. "An attacker could have rickrolled the entire FIFA World Cup," BobDaHacker wrote in a blog post. The researcher reported the flaw on Tuesday night Japan time, and FIFA fixed it within hours without acknowledging their report.
Unanswered questions
FIFA yet to comment on the matter
Despite requests from TechCrunch, FIFA has not yet commented on the matter. The silence from the football governing body raises questions about its internal security measures and protocols for handling such vulnerabilities.