A real-world hack documented by independent security blogger “bobdahacker” created a path to replacing the FIFA World Cup matches playing out on televisions and devices all over the world with any video of the attacker’s choosing. The flaw was an API vulnerability that was remarkably easy to access – one only had to be accepted as a licensed FIFA agent, something that appears to have been not at all rigorously screened.
API vulnerability granted extremely broad permissions to registered agents
The hack began with the FIFA Agent Platform, a portal that is supposed to be for registration of licensed football agents. There does not appear to be any screening for this beyond submitting a valid email address along with a selfie, however, as the researcher reported only having mild difficulty with getting the screening system to approve of the lighting of his photos.
Once accepted as an agent, users were added to a FIFA Microsoft Entra tenant that appears to also run all of the organization’s internal platforms. This is where the API vulnerability comes in. Among other things, this included the “streaming management” panel used to control the feeds provided for each and every FIFA World Cup match. These included output URLs sent to broadcast partners, complete with the authorization key sitting in plaintext in the URL. Additionally, only one authorization key was shared for every available camera angle for each match.
The long and short of this is, a less ethical party that hit upon this API vulnerability could have replaced that URL with a stream of any video they cared to. An attacker could have also simply and trivially stopped any FIFA World Cup feed with the push of a button at any time, or rescheduled it, using straightforward buttons provided in the panel’s interface.
Digging deeper into the platforms, the researcher found the API vulnerability provided access to numerous other sensitive things. An attacker would have been able to make changes to and update the live statistics and official team line-up submission systems, potentially causing major chaos with sports betting results. They could also have adjusted the official match kick-off times reported by the FIFA World Cup website and app, retroactively changed the displayed scores of completed matches, and messed with the “factoid” system used to submit relevant trivia for match commentators to use while a game is live (such as background information about where a player previously played and prior accomplishments, something that could also be exploited to manipulate sports “prop” betting).
And of course, the API vulnerability provided access to at least some amount of sensitive internal organization data that could be readily exfiltrated. The researcher noted that revenue information, transfer reports and board-level representation data were recognizable without actually opening any files. Since this was not authorized security testing, the researcher did not plumb the depths of these files to see exactly how bad this exposure was.
FIFA World Cup vulnerability closed up, but no official disclosure
The researcher additionally reports that FIFA World Cup officials they contacted never made any kind of response, and that a good deal of the organization’s listed email addresses in fact bounce incoming messages. The organization does not have a bug bounty program or any sort of public security contact or reporting portal.
They finally got a response, after multiple attempts, from FIFA World Cup streaming partner MediaKind. They report getting a professional response from the company by phone in which the respondent seemed to understand the gravity of the issue and asked for an email follow-up with the authorization keys. They also had a successful follow-up call with the US CISA (Cybersecurity and Infrastructure Security Agency), which is the federal lead on broadcast and cybersecurity for the current FIFA World Cup.
The researcher reports that the API vulnerability had been fixed the next day, but with no communication from FIFA or indication that anything had been done (other than being put on their generic promotional email list). However, they also note that this is a flaw that is not uncommonly found in organizations. The researcher notes that this is particularly endemic among larger organizations that have lots of accounts to manage; they will build a “pretty” Angular or React frontend that seems to superficially screen for roles on the client end, but will actually provide unfiltered access to everything on the back end to someone with rudimentary technical knowledge.
But the researcher also notes that the exposure in the FIFA World Cup case was “more severe” than most of the prior cases they’ve seen. Their closing advice to the organization was fairly basic: implement a “security.txt” file, publish a vulnerability disclosure policy, and strongly consider a bug bounty program to make future reporting faster and easier.
Michael Centrella, Head of Public Policy at SecurityScorecard, provides some additional advice: “The broader lesson is that major events need to defend their operational systems with the same urgency as critical business infrastructure. Threat actors look for the easiest entry point, not the most obvious one, so defenders need to test every pathway that could connect public facing systems to sensitive operations. One weak control in a low friction onboarding system can become the front door to a global incident.”
