Access developer tasks list of any Facebook Application (Bug Bounty)

Amine Aboud
1 min readFeb 1, 2021


This vulnerability could have let a malicious user access developer tasks list of any Facebook Application. Developer tasks are private informations that should be accessed only by the authorized developer of the concerned Facebook application.

While browsing I noticed a GraphQL request that was returning the tasks list of my Facebook application.

By intercepting the request and changing the appId value with the ID of a third party Facebook Application, I was able to access to the tasks list of the targeted app.

Reproduction Steps

1) Send a POST request to with required CSRF parameters and the following parameters in the request body:


Where X is the appId

The GraphQL response will return the developer tasks list of the targeted Facebook application:



January 6, 2021: Report Sent
January 8, 2021: Acknowledged by Facebook
January 13, 2021: Fixed by Facebook
February 1, 2021: Bounty awarded by Facebook




Amine Aboud

Entrepreneur & cyber security enthusiast doing bug bounty for fun.