Laxman Muthiyah is a serial Facebook bounty hunter who has featured on Naked Security before.
His latest bug bounty was a handy $4000 for what can only be described as an ironic security hole: a freebooting flaw in Facebook’s anti-freebooting service.
To explain: freebooter is an Anglicism from the Dutch word for privateer or pirate, and freebooting is a modern-day term used to refer to ripping off copyrighted video from one place and uploading it to another.
For example, imagine that you upload your cool new video to YouTube, where Google will know it’s yours and can at least try to keep a lookout for other people “cloning” it to steal your views.
Along comes a freebooter, leeches the video from YouTube by one means or another, and uploads it to Facebook as his own.
That effectively makes him king of your content on Facebook, where he’s the first to upload it, and thus the first to get any of the click-love it might generate.
It also makes it trickier for you to establish that it’s your content later on, because your claim on the video would be in second place.
Unsurprisingly, there’s an anti-freebooting app for that: Facebook’s Rights Manager interface allows you upload your content so that Facebook itself has a “source video” to compare against possible imposters – think of it as a high-resolution reference copy.
Rights Manager also has a button you can use to send takedown requests if you find infringing copies online.
So far, so good, but as Muthiyah quickly found, the Rights Manager access control checks imposed by Facebook were inadequate.
Simply put, an imposter could easily wander into your anti-imposter pages without logging in first.
According to Muthiyah, pirates could actually have used Rights Manager to rip off their own copies of your reference copies, thus freebooting directly via the anti-freebooting interface:
Rights manager’s authentication mechanism is not [secure,] so it allows any Facebook user, without consent, permission to read, edit and delete source [videos].
Facebook fixed the problem quickly, and awarded Muthiyah his $4000 bounty.
Hats off to both sides: Muthiyah for responsible disclosure, and Facebook for prompt action.
And remember: if you’re building a set of programming interfaces that you plan to open up over the internet…
…test, and test, and test again.
Even Zuck’s team doesn’t always get it right.