Been a while since I posted any of my findings. so, just decide to share a recently patched issue in Facebook.
In the news: http://magazine.vulnerability-db.com/?q=articles/2014/12/23/facebook-social-network-privacy-issue-disclosed-bug-bounty-program-whitehat
So, this issue is kind of an expected behavior, the idea is while converting an account to a page, Facebook never removes data like Friends list and Messages (incase the user want their page get back to a normal account). you know what that means, it practically states we always will remain friends with the people who were friends with us in the conversion process.
Thus, we will be able to see their posts stating "friends" privacy setting by navigating to their page, even though our account is a page and can't be friends with anyone.
Facebook fixed this immediately by removing friend list (or putting it inside a separate backup table), but then the fix created a new issue
when they remove the friend-list, they didn't remove the serialized list of Friends of Friends. I admit, "Friends of Friends" is exactly like "Public" considering the recursion to one another. but still, this called this,
2014-11-01: Response (Facebook Security Team - Bug Bounty Program)
2014-11-13: Vendor Fix/Patch (Facebook Developer Team)
2014-11-15: Second Report
2014-12-13: Vendor Fix/Patch (Facebook Developer Team - Bug Bounty: ****$)