Friend list disclosure using persisted GraphQL queries and first-party application client tokens
Facebook has a GraphQL endpoint which can only be used by some of their own first-party applications. Generally, you need a user (or page) access_token to query the GraphQL endpoint. I have decided to try using Facebook for Android application's client token, but the endpoint returned an error message:
================
read from source :
================
https://www.josipfranjkovic.com/blog/facebook-friendlist-paymentcard-leak