This bug allows malicious attacker to view victim's Facebook contacts on locked device after accepting call and clicking "Add contacts".
This attack should be done physically where the attacker should be able to have physical access to victim's phone.
Set a lock screen for your phone then lock it.
From another account -> give your first account a call through messenger.
Click on 'ANSWER' button to answer the call -> at bottom left there is a button inside it there is a girl logo with '+' sign to add friends to the chat -> click it.
You will notice the friends list appear and you can scroll up and down to see the friends (it appeared without taking you or telling you to unlock your phone password or PIN).