Access Private Facebook Group’s Documents - Facebook Graph API Bug

Recently I was working with Facebook Graph API and found this bug. Facebook Group (https://developers.facebook.com/docs/graph-api/reference/v2.2/group) & Groups Docs graph API(https://developers.facebook.com/docs/graph-api/reference/v2.2/group/docs) states that
1) user_groups permission to retrieve any groups that the session user is a member of.
2) Any valid access token if the group is public (i.e. the group’s privacy setting is OPEN)
3) A user access token for a member of the group with user_groups permission. (Group Docs)

But they aren’t working as expected. We can get group docs content and closed group info in which the user is a member with an access token in which user_groups permission is not authorized.

Impact:
An app with no permission can get the docs of a closed group which is not intended to be shared. Also, affects the privacy of group and breaks the three points which are mentioned in Facebook Dev Docs
1) user_groups permission to retrieve any groups that the session user is a member of.
2) Any valid access token if the group is public (i.e. the group’s privacy setting is OPEN)
3) A user access token for a member of the group with user_groups permission. (Group Docs)

In the poc video, I used the Javascript Test Console app access token whose scopes are public_profile, basic_info, user_friends. And then used that token to get the closed groups details & docs.

Reproduction Instructions / Proof of Concept
1)Create an app with basic profile permission and get the user access token.
2)Now make request to graph.facebook.com/v2.2/<group-id> to get closed group details and to get docs of that group request to graph.facebook.com/v2.2/<group-id>/docs

Timeline

Reported this bug on Feb 8th and was fixed within 4–5 days and Facebook panel decided to award $1500 as bounty.