June 15, 2026
Goal! Straight into the chaos net
I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID
Fans are screaming: one ID check away from a World Cup prank of the century
TLDR: A researcher says FIFA’s public sign-up system accidentally opened the way to World Cup stream controls, creating the possibility of broadcast sabotage before it was quietly fixed. Commenters are torn between laughing at the absurdity, praising the restraint, and asking how a mistake this huge got past everyone.
The internet has found its latest "how was this even real?" scandal, and commenters are absolutely feasting. A security researcher says he signed up for FIFA’s public football-agent website with nothing more than his ID, got swept into the same login system used for FIFA’s internal tools, and then discovered he could view the live control panel for World Cup 2026 streams. In plain English: the front door said “no entry,” but the back door was apparently wide open. The most repeated reaction was pure disbelief. One stunned commenter basically screamed, how could every service forget to do the actual lock check? Another called it an “awesome read” and joked that the writer suffered “damage… to my brain.”
But the real comment-section energy was a mix of horror, admiration, and meme-fueled temptation. People were obsessed with the idea that this person could have swapped a football broadcast for a global Rickroll and triggered the most chaotic sports moment on Earth. One user openly praised the researcher’s willpower for not sending a message to millions of viewers. Another twist in the drama: a commenter popped up to say he’d found a similar FIFA issue during the 2022 World Cup and, despite a promised thank-you gift, got basically nothing. That turned the mood from shocked laughter to “of course the big organization ignored the person trying to help”. The verdict from the crowd? Equal parts impressed, furious, and darkly entertained.
Key Points
- •The article says a successful registration on FIFA’s public Agent Platform added the author’s account to FIFA’s shared Microsoft Entra tenant.
- •The author reports that FIFA’s Football Data Platform displayed an access-denied page based on frontend role checks, while backend APIs allegedly did not enforce authorization.
- •By bypassing the client-side guard, the author says they accessed a live Streaming Management panel for FIFA World Cup 2026 matches.
- •The panel allegedly exposed five camera feeds per match, including RTMP ingest URLs, preview manifests, output URLs, and a shared stream key for the feeds.
- •The author says they reported the issue by contacting FIFA, MediaKind, HBS, CISA, and the FBI, and that the issue was fixed without a direct response.