A researcher has earned a significant bug bounty after finding a severe vulnerability in Facebook’s Rights Manager copyright management tool.
Rights Manager is designed to allow publishers to protect their content by helping them identify videos posted on Facebook without permission. Publishers who complete an approval process can rely on the tool to specify permitted use rules, report content, and whitelist pages and profiles.
The tool was released earlier this year in response to an increase in freebooting, the act of downloading copyrighted videos from one platform (e.g. YouTube) and uploading them to a different platform (e.g. Facebook) without the copyright holder’s permission.
India-based bug bounty hunter Laxman Muthiyah discovered a serious flaw in Rights Manager that could have been exploited to access and change settings in any copyright holder’s account.
The expert noticed that Rights Manager uses the Graph API, which provides the primary method for apps to read and write data on Facebook. The tool’s user interface relies on a Facebook-developed app whose source code contained an access token.
Muthiyah determined that this access token could have been leveraged via the Graph API to perform various actions, including access and delete videos, and modify and delete copyright rules.
Facebook quickly patched the vulnerability and awarded Muthiyah $4,000 for responsibly disclosing the issue.
This is not the first time the researcher has found serious flaws in Facebook. Last year, he earned $12,500 for a Graph API bug that could have been exploited to delete users’ photos, and $10,000 for a syncing issue that allowed access to private photographs.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
