Facebook for Developers = Settings = Basic = Contact Email.
This field mean to be secrete for communication between admin/dev and Facebook.
Only Administrator of the App and Developer role can access these field.
It was fine on regular Graph API called to "contact_email". No data was return but when I changed query to "graphql" I was able to disclose any facebook application contact email address.
Timeline:
===
Nov 21, 2018 - Reported.
Nov 28, 2018 - Triaged.
Dec 8, 2018 - Fixed.
Feb 12, 2019 - Bounty Awarded.
0 Comments