[Facebook] Deleted User Website information disclosed
There was a deprecated API call which was still fetching deleted or changed user added website information. Even after applying "Profile Lock" feature.
POC -
An API call made like this "user_ID?fields=website" to the Graph servers, with a FB4A access token was responding with website information of the given User with the information which was deleted or modified.
As - {"website": "http://hackingmonks.net/","id": "100006290410252"}
Timeline -
Reported - Friday, April 9, 2021
Triaged - Tuesday, April 13, 2021
Fixed - Monday, May 24, 2021
Rewarded - Friday, June 4, 2021