This was the vulnerable URL:
https://mbasic.facebook.com/composer/mbasic/?c_src=share&referrer=permalink&target=[secret group id].
Replace the value of the ID in "target" parameter to the value of your target secret group. You must have two test accounts to be able to reproduce the bug. Though this bug is limited since you cannot post in that group, Facebook still resolved it.
This bug has been already fixed by Facebook Security Team and rewarded me with a $1500 bounty.
I was then again listed in the Whitehat List of Facebook (It's my 2nd time being listed)