I'm not saying its easy, I'm saying a developer using the tools and processes available at a large internet corporation building something small need not be insecure. Basically until we look at the code and the security processes in place, or do pentesting, we have no clue one way or the other. I'm mostly just saying we shouldn't discount something like this automatically as insecure. It might be terrible, it might be very well thought out and have security be one of the most important considerations that was top of mind when he coded it.
dimino|9 years ago
I bet, with no information other than what's supplied, that this system is insecure. It's not really a knock on Zuckerberg, just a statement based on my experience. I am totally open to being wrong, I just think we know more than nothing about hobby projects and their propensity to consider security secondary, tertiary, or not at all.
Admittedly, this is Mark Zuckerberg, so who knows, it might have been meticulously coded to be perfect. The guy's a bit of an obsessive, based on what I've read, so I would also not be surprised to find it's tightly locked down and very high quality code. I don't the guy, just the general situation.