I found a weird error message on a domain by adding an arbitrary parameter that discloses their facebook access token and app ID. I made a curl request to the graph.facebook.com/oauth/accesstoken endpoint and found that the app ID is legit as I was getting the following message:
{"error":{"message":"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.","type":"OAuthException","code":191,"fbtrace_id":"AxEXsKbkFbd2X0JbOUyN_7S"}}
Would the facebook access token be suffice to report a bug? Technically it’s information disclosure, correct? I cannot find other relevant reports and Google isn’t really giving me anything to go off of. Thank you in advance!
