What You Need to Know
- A security researcher registered as a football agent on FIFA’s free public portal using only a government-issued ID.
- That registration added their account to FIFA’s entire Microsoft Entra (Azure AD) tenant, the same system powering all internal FIFA platforms.
- The researcher accessed live World Cup broadcast stream keys, match management controls, and the real-time Commentator Information System.
- The front-end app showed “access denied.” The back-end APIs ignored that check entirely and served full data anyway.
- This flaw is called broken access control. It ranks as the #1 vulnerability in web applications according to OWASP.
- Businesses in financial services, legal, and manufacturing face the same risk every day.
- The fix came quickly. FIFA never responded to the researcher.
During the 2026 FIFA World Cup, a security researcher registered as a football agent on a free public FIFA portal. All it took was a government-issued ID and a working email address. Within hours, that registration unlocked live broadcast stream keys, match management controls, and real-time commentary data for every World Cup match. The vulnerability behind this was broken access control, and it is the most common cybersecurity flaw affecting businesses today. This incident is not just a FIFA story. It is a warning for every organization that relies on cloud software, vendor platforms, or SaaS applications.
How One Registration Unlocked FIFA’s Entire System
As documented by the researcher who discovered it, FIFA’s public Agent Platform (agents.fifa.org) allows anyone to register as a licensed football agent. When a registration succeeds, FIFA automatically adds the new account to their Microsoft Entra tenant. That tenant powers every FIFA internal platform.
When the researcher navigated to FIFA’s Football Data Platform (fdp.fifa.org), the front-end app checked their JWT token, found no assigned roles, and displayed an “access denied” screen. However, the back-end APIs behind that screen never performed the same check. They served full data to any authenticated tenant member, regardless of role.
In other words, the front end said no. The back end said yes. That gap is the definition of broken access control.
What the Researcher Could Actually See and Do
The access was far from read-only. According to the full disclosure report, the researcher found:
- Live RTMP stream keys for every World Cup match and every camera angle. An attacker could have used these to replace live broadcast feeds on television worldwide.
- Full streaming controls, including start, stop, and schedule buttons for every camera feed.
- The Commentator Information System (cis.fifa.org), with pre-match editorial notes, player statistics, and talking points used by live broadcasters.
- Match Management write access, including fields to modify live scores, kick-off times, and tactical lineups. That data feeds directly into broadcast systems.
- An internal Azure Function App exposing 23 internal FIFA files, including transfer reports and board-level financial data.
The researcher confirmed a live stream was active by opening a preview URL in VLC media player. They immediately closed it and began the urgent process of reporting the vulnerability to FIFA, MediaKind, CISA, and the FBI. FIFA patched the flaw by the next morning. They never acknowledged the researcher’s report.
What Is Broken Access Control?
Broken access control occurs when an application fails to enforce what authenticated users are actually permitted to do. Authentication confirms who you are. Access control determines what you can reach. When those two systems are not properly connected at every layer, the result is broken access control.
According to OWASP, broken access control is the #1 vulnerability in web applications. It appears in 94% of tested applications. The flaw is common because developers often implement role checks on the front end and forget to enforce the same rules on the back end. Any user who bypasses the front end, for example by calling the API directly, gets full access. In FIFA’s case, that bypass required nothing more than a free agent registration.
Why This Is Not Just FIFA’s Problem
Small and mid-sized businesses face broken access control risks every day. Consider these common scenarios:
- A vendor portal grants contractors access for a project. After the project ends, their permissions are never removed.
- A SaaS application checks user roles in the browser but not on the server. Any user who inspects network traffic can call the API directly.
- An employee moves to a new role. Their old system access is never revoked. As a result, they retain permissions they no longer need.
- A Microsoft 365 or Azure tenant is configured to grant access to anyone authenticated in the organization, not just users with a specific role.
In regulated industries like financial services, legal, and manufacturing, these gaps carry serious consequences. A single misconfigured permission in a cloud platform can expose client data, financial records, or operational systems to anyone who finds the right entry point. Therefore, broken access control is a risk no business can afford to ignore.
How to Fix Broken Access Control in Your Business: 5 Steps
Addressing broken access control requires enforcement at every layer of your systems, not just the user interface. Here are five steps to start with.
1. Enforce access control on the server, always.
Front-end checks are a convenience, not a security control. Back-end APIs must validate user permissions on every single request, regardless of what the front end displays.
2. Apply the principle of least privilege.
Users and systems should have access only to what their role requires. In addition, review and reduce permissions on a regular schedule. Over-provisioned accounts are one of the most common sources of risk.
3. Audit your Microsoft Entra or Active Directory tenant.
If your organization uses Microsoft 365, Azure, or any integrated SaaS platform, your Entra tenant may grant broader access than you realize. For example, a new vendor integration or third-party registration could quietly add an external account with wide internal access
4. Review and remove third-party and vendor access.
Every vendor, contractor, or integration connected to your systems is a potential access control gap. So, maintain an up-to-date inventory of who has access, and revoke it the moment it is no longer needed.
5. Test for broken access control regularly.
Penetration testing and vulnerability assessments should specifically target authorization logic, not just authentication. Many automated scanners miss access control flaws. Therefore, manual testing by a qualified security professional is essential.
The Reporting Problem: A Lesson in Preparedness
Beyond the technical flaw, the FIFA incident exposes a critical gap in organizational readiness. The researcher had to call CISA, the FBI, MediaKind, and FIFA headquarters across multiple time zones before anyone responded. FIFA had no bug bounty program, no security.txt file, and no published vulnerability disclosure policy.
CISA recommends that every organization publish a clear vulnerability disclosure policy. This gives researchers, employees, and partners a direct path to report security issues before they become breaches. The faster a vulnerability is reported and patched, the less damage it causes. Your business may not run a global broadcast operation. However, the principle is the same: when a threat surfaces, you need a clear, practiced plan to respond.
How CIO Landing Helps You Close the Gap
At CIO Landing, we help businesses in legal, financial, and manufacturing sectors identify and fix access control vulnerabilities before they become incidents. Our proactive approach includes:
- Microsoft 365 and Azure Entra tenant reviews
- User access audits and least-privilege enforcement
- Third-party and vendor access management
- Cybersecurity risk assessments and penetration test coordination
- Ongoing monitoring and rapid incident response
You should not need to call the FBI to fix a security problem. If you are not sure who has access to your systems or what they can do with it, now is the time to find out.
Schedule a Discovery Call with CIO Landing to get a clear picture of your access control risks and a concrete plan to address them.