Security researcher reportedly accesses FIFA World Cup broadcast controls via API flaw

June 16, 2026

Upcoming FIFA World Cup event in 2026 with soccer ball and flags of USA, Canada, and Mexico

(Adobe Stock)

A security researcher identified a critical vulnerability within FIFA's systems that allowed unauthorized access to internal platforms, including the control system for World Cup broadcasts, according to a recent report by TechCrunch.

The researcher, known as BobDaHacker, said they exploited a flaw in FIFA's back-end API by registering as a player agent. This registration, combined with the API's failure to properly verify user authorization, granted access to sensitive internal systems, according to the researcher. Among the reportedly compromised platforms was the system responsible for controlling the TV streams of every World Cup game, as well as the screens used by commentators. The researcher demonstrated that a single attacker could potentially hijack all cameras simultaneously or manipulate on-screen content globally.

BobDaHacker reported the vulnerability on Tuesday, and FIFA addressed the issue within hours, though the organization has not publicly acknowledged the report.

Source: TechCrunch

SC Staff

A stock illustration that represents the concept of e-commerce phishing in pastel orange and cobalt blue, incorporating fake shopping carts and conceptual metaphors of stolen data and false security for an engaging and intuitive understanding of the concept. Utilize soft gradients and layered shadows to create a hint of spatial complexity and priority. --ar 16:9 --v 6.1 Job ID: b12556c8-93ea-4d94-91b3-9ca3f4a58a7b

API security

Magecart campaign exploits Stripe API for credit card theft

SC StaffJune 5, 2026

The sophisticated attack utilizes Google Tag Manager (GTM) and Stripe domains, which are implicitly trusted by e-commerce sites, allowing the malicious code to bypass security measures.

Glowing digital key on a dark circuit board symbolizing cybersecurity and data encryption. Cybersecurity awareness, data protection, digital security, IT, information safety, encryption concept.

API security

Deleted Google API keys remain active for up to 23 minutes, study finds

SC StaffMay 21, 2026

While the Google Cloud Platform console indicates immediate deletion, researchers found that keys take an average of 16 minutes to become fully inactive, with the longest observed delay reaching 23 minutes.

Security Operations

Command Zero releases APIs to enable programmatic security investigations

SC StaffMay 1, 2026

The new API endpoints enable security operations teams to integrate Command Zero's investigation engine into their existing security orchestration, automation, and response (SOAR) playbooks, pipelines, and internal tools.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

Related Terms

API Security Cloud Computing Greynet