How I was able to see Private Video Uploader Via Facebook Rights Manager.[Responsible Disclosure]

Hello Everyone! I hope you’re doing great. So, due to the pandemic in India, we all had to stay home and I couldn’t find a better way to kill my boredom. So I decided to write a blog about one of my recent findings.

“This bug is responsibly disclosed to Facebook WhiteHat Team and patched.”

Facebook runs a whitehat program, wherein security researchers across the globe would report their security vulnerabilities to them and according to the severity, they get paid. Sounds, interesting ain’t it? To know more about this click here.

Since I run a media company called The360Groups, I had access to this wonderful tool called Rights Manager by Facebook.

So you might be wondering what’s this rights manager tool all about, which I’ll be demystifying below.

Also, keep in mind this is a privacy issue.

Source: Rights Manager.

hat is Rights Manager?

Rights Manager helps you to:

Easily upload and maintain a reference library of video content to monitor and protect, including live video streams.

Specify permitted uses of each video by setting match rules.

Identify and surface new matches against your protected content so you can review them and file a report if needed.

Whitelist specific Pages and profiles that have permission to use your copyrighted content.

Use the Rights Manager API to integrate existing content management workflows and to easily upload and manage large libraries.

Rights Manager is for publishers that publish content on Facebook and also, those that don’t publish on Facebook, but want to protect their content. If you want to get access to this, click here

Source : Facebook

escription

Rights Manager got this option through which you can find matching videos of yours automatically. This is basically to stop copyright infringement, content being pirated, etc.
It works as follows, if your video gets uploaded somewhere you’ll get an alert in your rights manager dashboard. Further, if you want to, you can either add it under whitelist or report it to take it off.

Interestingly, while I was randomly exploring this option I got to know that it was exposing the uploader’s private account. (Profile ID)

Impact

Give Permission” option in Rights Manager could expose the identity of a private video uploader.

Reproduction Steps

  1. Upload the video to rights manager that needs to be protected.
  2. Upload the same video from a user’s profile
  3. Now, Rights Manager would detect your video and notify you via matching tab as someone posted your video(whoever uploads your video), Now the give permission tab would appear.
  4. When you give permission, the account gets whitelisted. Now, go to settings of rights manager find the whitelisted person (The profile of the user who uploaded your video will be disclosed)
  5. Right-click on whitelisted name of the profile and copy the link. Now, the link would be something like business.facebook.com/username Remove the “business” alone from the link and paste the link on a new tab (facebook.com/username).
  6. Now we’d be having the uploader’s profile.

That’s all for today folks! :D

Responsibly Disclosed to Facebook

Reported on 30 April 2020 at 13:10

Not Valid on 2 May 2020 at 03:52

(Found my report open on 16th May 2020)

Impact and more details were given on 16 May 2020 at 12:23

Triaged on 20 May 2020 at 22:11

Fixed on 21 May 2020 at 17:45

Bounty on 28 May 2020 at 16:17

Thanks to:

Rahul Raj, Sriram , Guhan Raja, Hemanth Joseph , Adithyan AK, Vijith Vellora

Special Thanks to:

Madurai360 and Team

23 & | Hacked Into @Google , @microsoft , @Facebook etc…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store