Friend list disclosure using persisted GraphQL queries and first-party application client tokens
Facebook has a GraphQL endpoint which can only be used by some of their own first-party applications. Generally, you need a user (or page) access_token to query the GraphQL endpoint. I have decided to try using Facebook for Android application's client token, but the endpoint returned an error message:
================
read from source :
================
https://www.josipfranjkovic.com/blog/facebook-friendlist-paymentcard-leak
hahaha luckily i left Facebook years ago - only using diaspora* and Mastodon these days - dude i love Mastodon.
i will check that ;) thank you