This object can vary from node to node when called on to the servers.
For example, description for "locale" on a App node - Specifies which locale of language to request. This is a required parameter when reading this edge.
Doc - https://developers.facebook.com/docs/graph-api/reference/v10.0/app/translations
When I looked up on the Facebook Graph API schema, the object "locale" was not assigned for a User node.
When I made call with a FB4A access token to a User node -
GET /v10.0/TARGET_USER_ID?access_token=MY_FB4A_ACCESS_TOKEN&fields=locale HTTP/1.1
Host: graph.facebook.com
Connection: close
I got a response saying -
{"locale":"en_US","id":"TARGET_USER_ID"}
After digging up, I got to know that this Localization code is a User set "Language" on Facebook.
Facebook Users can go to - https://www.facebook.com/settings?tab=language&edited=account
and set their preferred language for buttons, titles and other text from Facebook for their account on www.facebook.com .
If the target User changes his "Language", we can repeat the same call to get us the changed "Language" for that User.
Initially I thought this would not make up to a reward. Since this info is not critical or up to the bar to qualify. But I also wanted to get it fixed.
Report Timeline -
Reported on - Wednesday, May 19, 2021 at 8:52 AM
Facebook closed it as NA - Friday, May 21, 2021 at 4:16 PM
By giving the following info -
The information you're referring to is considered Public. You can learn more about what's considered Public information here:
https://www.facebook.com/help/203805466323736
Closed as NA.
My reply to Facebook - (Requested a review)
Hey!
Can I get a bit more info on this ?
The Doc says - "Some of the information you give us WHEN YOU FILL OUT YOUR PROFILE is public, such as your age range, LANGAUGE and country."
When it says, "WHEN YOU FILL OUT YOUR PROFILE" means when we edit our profile right ?
When we edit our profile with a Language, we can see it in the "about' section of our profile.
https://www.facebook.com/YOUR_USER_ID/about_contact_and_basic_info - has a Language tab which shows the added Languages.
The Language info that I am reporting here is different.
Facebook replied - Monday, May 24, 2021 at 4:29 PM
Thank you for sharing this information with us. The language that a user uses in Facebook is considered public, non-sensitive information. Therefore, this is not considered an eligible security vulnerability for our bounty program.
Closed as NA again.
My take on this -
This info is not a big risk of privacy, but the explanation given to the report saying "This is public info" just gets me curious to how can we see a Facebook User's Language preference and settings.