FIFA Security Flaw: Registering as an Agent Unlocks Access to 2026 World Cup Broadcast System
English summary
A regular user registered for a football agent qualification on FIFA’s official website and was automatically enrolled into FIFA’s unified identity system. This granted access to multiple internal platforms, including the broadcast management system for the 2026 World Cup. The user found live match streams, pushing addresses, streaming keys, and partial live management controls. The incident exposes a critical security gap in FIFA’s identity and access management.
Chinese summary
一名普通用户在国际足联官网注册足球经纪人资格后,被自动纳入国际足联统一身份系统。随后该用户发现自己可访问多个内部平台,包括2026世界杯的转播管理系统,看到直播流、推流地址、推流密钥以及部分直播管理功能。此事暴露了国际足联身份与权限管理的严重安全漏洞。
Key points
Anyone can register as a football agent on the FIFA website without additional vetting, triggering automatic access to internal systems.
任何人均可在国际足联网站注册成为足球经纪人,无需额外审核即自动获得内部系统访问权限。
The unified identity system mistakenly linked the newly created agent account to privileged internal platforms, bypassing access controls.
统一身份系统错误地将新创建的经纪人账户关联到特权内部平台,绕过了访问控制。
The exposed broadcast management system revealed live streams, streaming keys, and operational functions for the 2026 World Cup, posing risks of unauthorized broadcast manipulation.
被暴露的转播管理系统显示了2026世界杯的直播流、推流密钥及管理功能,存在被非授权操控转播的风险。