FIFA World Cup Broadcasts Narrowly Avoid Disaster as Ethical Hacker Finds API Vulnerability

Some disappointed fans might well have tuned in to a black screen, or even worse some sort of disturbing substitute video, if an ethical hacker hadn’t been the first to find a critical API vulnerability in the FIFA World Cup digital control panels.

What’s worse, the API vulnerability is one that is fairly common with large organizations and fairly easy for anyone with some cybersecurity experience to sniff out. The lone bottleneck was applying to be a registered FIFA agent, a process that apparently automated approvals so long as one could provide a valid government ID and email address. FIFA seems to have overlooked a number of fundamental cybersecurity elements, and the incident serves as a reminder that even some of the world’s most prominent organizations could stand to tune up their controls and disclosure policies.

FIFA World Cup vulnerability offered up access token to change match video feeds

Independent cybersecurity blogger “bobdahacker” appears to have been the first to come upon the API vulnerability. Rather than take advantage of the situation to reschedule FIFA World Cup matches or redirect the video feeds to some manner of questionable tube sites, the researcher instead opted to ethically disclose to officials ASAP.

Unfortunately, they started running into some fundamental issues right away. The FIFA World Cup site does not even have a vulnerability disclosure policy, let alone a bug bounty program. What relevant contact email addresses were listed were split about 50/50 between not responding or bouncing incoming emails automatically.

The researcher ended up having to make phone calls to FIFA World Cup streaming tech partner MediaKind and the Cybersecurity and Infrastructure Security Agency (CISA), both of which finally had receptive listeners to be found on the other end. By the next day, the API vulnerability had been quietly fixed without any sort of public notice or follow-up with the researcher.

The researcher notes that this API vulnerability is not uncommon with large organizations handling multiple platforms and lots of users with different access rights and permissions. Organizations will sometimes build a Angular or React frontend that appears to corral users in the limited areas where they belong, but that is all on the client end. When someone with technical knowledge accesses the back end, they find they have access to everything across the platforms with any common user account.

“Severe” implementation of common API vulnerability

Though this is a common API vulnerability, the researcher says the FIFA World Cup incident was more “severe” than most others they have seen.  The headline item is that any registered agent could trivially access the control panel for the feeds that go out to broadcast partners across the world, stopping them mid-match or using a plainly visible authorization string to redirect them to any other video source on the internet.

The first cybersecurity hole is that there appears to have been no checking whatsoever to see if people registering for agent accounts were actually player agents. That would not have been so bad if these users were properly fenced off with limited permissions, however. The real issue is the API vulnerability they could then abuse, which wasn’t limited to just fiddling with the FIFA World Cup streams. They also had a number of write permissions for things such as the official statistics for matches and the comments about player backgrounds that are sent to live commentators during the match. And they had access to a number of internal FIFA documents that appeared to involve finances, board members, officials and commentators, though they (understandably) did not delve into these since they were not doing authorized security work.

To put it in a way that reflects as gently on FIFA as possible, the incident demonstrates that organizations must review onboarding systems for similar weak links. To put it more harshly, FIFA got away with what could have been a massive PR disaster thanks solely to the grace of a random “white hat” (who was not acknowledged at all) and has very serious fundamental cybersecurity issues to address that other organizations should be sure they have covered.