Is a Facebook Access Token disclosure a bug?

I found a weird error message on a domain by adding an arbitrary parameter that discloses their facebook access token and app ID. I made a curl request to the graph.facebook.com/oauth/accesstoken endpoint and found that the app ID is legit as I was getting the following message:

{"error":{"message":"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.","type":"OAuthException","code":191,"fbtrace_id":"AxEXsKbkFbd2X0JbOUyN_7S"}}

Would the facebook access token be suffice to report a bug? Technically it’s information disclosure, correct? I cannot find other relevant reports and Google isn’t really giving me anything to go off of. Thank you in advance!

Go here: https://developers.facebook.com/tools/debug/accesstoken/
Put the access token in the field and click “Debug”.
The response will give you a better insight about what is possible to do with that access token.

Hello @stefanofinding, very much appreciated as always! Seriously, you’re the man!!

1 Like

You are welcome :blush: