That's a pretty amateur mistake for a such an enormous company. Made respect for FB, but c'mon, how'd this slip through? This was a very trivial exploit.
I don't really agree. They made all the effort to put CSRF tokens everywhere, and the vast majority are properly validated, but here there was probably some bug where they assumed the CSRF token validation check was always running, but I guess it wasn't.
It's certainly a mistake, but it was probably easy for developers and QA to miss.
They didn't validate the token nor did they make sure the user id was valid for the request; that's two important checks that either weren't there or failed. Seems like they just weren't there as there would have been more failures like this throughout the site. Because those checks weren't there I'd say it was an amateur mistake. Again, if this is the case then the engineer just made an assumption that this request can only be made in particular user state.
Here's one. A use-after-free triggered due to some faulty logic.
Mistake? Yes. Amateur mistake? No. Even very experienced C/C++ programmers, such as Microsoft's top devs, may accidentally double-free, or use already-free memory.
it is obvious they don't take basic security seriously
I would disagree.
For a very actively developed web site, it takes very good focus to not trip up. Having a bounty program is an indication to me that they take security seriously. Fixing a security bug in a matter of hours indicates to me that they take security seriously.
