Facebook Freebooting Hack

Facebook Freebooting HackFreebooting is a sort of piracy, most commonly referred as downloading someone else’s copyrighted material and uploading it to any other internet platform, often videos from Youtube to Facebook. A security vulnerability in Facebook’s newly introduced platform called [Copy] Rights Manager (to prevent Freebooting) allows one to hack Facebook brand page copyright data easily. 

Facebook is trying hard to prevent Freebooting in their native video player. Recently in april they introduced a tool called Rights Manager, where famous brands has the rights to detect and claim their copyrighted videos uploaded to Facebook. People who often upload copyrighted videos can easily be identified by this Feature. Pages/Profiles who are constantly uploading copyrighted materials would eventually get banned.
Rights manager tool allows brands to upload their video items (source videos to detect pirated videos) and owners would get notified whenever someone upload their copyrighted videos to Facebook. Copyright owners can request deletion of the detected pirated videos or add exception for few brands in some cases.

So what’s the hack? 

Rights manager’s application interface allows end users to manipulate the request data and gain control over other brand page’s copyright source data. 
In layman’s terms, rights manager’s authentication mechanism is not securely functioning so it allows any Facebook user without consent permission to read, edit and delete source video or manipulate the detected pirated video.

Technical Details

Rights Manager tool is preapproved for few official pages and any one can request for approval.

Facebook CopyRights Manager Tool Preview
Facebook CopyRights Manager Tool Preview
Once you are approved you can upload your videos to detect pirated copies around Facebook native video player.
Rights Manager uses Graph API and its official documentation shows some endpoints for third party app access. By default, Rights Manager GUI uses a preapproved app called “273465416184080 : Content Tab of a Page on www“. We can see the access token in the source code of

Since it is an app owned by Facebook, its access token allows us to read or manipulate data for any Brand page due to insufficient permission checks.

Read how hackers could hack Facebook account password and their prevention measures

Proof of Concept :-

All the above fields added in the parameters can be updated.

Reading Victim’s Copyrights

Deleting Victim’s Copyrights

Create copyright rule on behalf of victim’s page

Read Victim’s Copyright Rules

Delete Copyright Rule

Facebook Acknowledgement of Fix and Bounty of $4000 USD

Facebook Acknowledgement of Fix and Bounty of $4000 USD
I thank Facebook Security team for quickly fixing this issue 🙂