Improper Access Control in LINE Timeline API that returns a list of hidden friends

Due to an insufficient access control check in an API endpoint for LINE Timeline function, it was possible for an attacker to retrieve a hidden list of any LINE users. Users can configure the hidden list not to show someone's post on their Timeline. Using this vulnerability, an attacker can get a part of the social graph and access to user's preferences. We would like to thank @66ed3gs for his clear proof of concept using his own test accounts.