Minor Account Privacy can Set to Everyone.

In this report, the researcher demonstrated an Insecure Direct Object Reference vulnerability that would allow Minor accounts (accounts where the owner's age is self-reported to be under 18 years old) to modify their privacy permissions to restricted settings. Ordinarily, accounts with owners between 13-17 years old are limited to "Only Me" and "Friends Only" privacy settings for sharing their Feeds and other social interactions. However, exploiting this vulnerability would allow Minor accounts to set their privacy permissions to "Everyone". In order to ensure our younger users remain protected on our services, we fixed this vulnerability so that Minor accounts can no longer set their permissions to "Everyone".