I Could've Rickrolled the FIFA World Cup. All I Needed Was My ID.
Summary
The FIFA World Cup 2026 revealed a critical client-side authorization flaw in FIFA’s internal platforms that exposed live streams, match data, and admin capabilities to NO_ROLES accounts. The author documents the discovery, the exposure chain, the response timeline, and a follow-up fix, emphasizing server-side enforcement, responsible disclosure, and IAM best practices.