A researcher registered on the FIFA Agent Platform, submitting an ID to the public portal agents.fifa.org. The signup automatically added the account to FIFA’s Microsoft Entra tenant, the same Azure AD instance that backs every internal FIFA service. After two failed attempts due to photo lighting, the third registration succeeded and triggered a confirmation email from the so‑called FAP (FIFA Agent Platform).

Using the same JWT, the researcher accessed fdp.fifa.org, the Football Data Platform. The Angular front‑end displayed an “Access Denied” page because the token lacked role claims, but the backend APIs ignored the check and served data. Bypassing the client guard landed the user on the live Streaming Management panel, which listed every 2026 World Cup match with RTMP ingest URLs, preview manifests and output streams.

The panel gave start/stop control for each camera angle, so a NO_ROLES account could terminate live feeds. The RTMP URLs held a UUID stream key shared across angles, letting an attacker hijack the primary broadcast and push arbitrary video to every partner network. The same unchecked account also exposed internal spreadsheets via an Azure Function, highlighting a systemic lack of role enforcement across FIFA’s production stack.