An option in Facebook pages called “canvas“ , this option allows us to create a simple form and then we can preview it on our mobile phone or send it to any admins in our Facebook page , so we will use this option to disclose admins for any Facebook Page.
This could have let a malicious user view the list of admins of any page.
- Create any facebook page
-Victim page ID
This is the request ( Click on show image )
so change the page_id parameter to the Victim page ID and leave the parameter value empty (to tell the server to fetch all the admins on the page )
This bug is critical and serious , as you know admins names are very sensitive and classified information . Page owners are with hidden identities and sometimes it's very dangerous to reveal this identity especially when governments are seeking to find it . Facebook do not accept governments request to give them this classified information (if governments succeed in getting these names , they will sue and maybe they imprison them ) Governments or maybe mafias are seeking to buy this kind of serious bugs in the DEEP WEB .