A security hole is where some attack vector within the code is overlooked (ex: injection attacks, overflows). A negligent feature is one where the steps to exploit the service were put in explicitly.
What one does this fall into?
At some point a developer coded in a resource that bypasses any privacy data, had it approved by management/coworkers (not sure what model they use) and published it live. I'm certain many people have been exploiting this longer than that forum post existed.
Honestly? I'm willing to chock this up to a mistake. A reasonable series of circumstances for this would also be that they missed a single permissions check on an otherwise private-only method. It's probably a single line of code, and one that exists in thousands of other places, surrounded by at least hundreds of other lines of code. An easy thing to overlook.
That's not how security should work. The default should be no-access, so that missing a line of code or making a small mistake leads to too much restriction rather than not enough. That would also help the developer notice the mistake, since the feature wouldn't work.
Agreed, but you'd be hard-pressed to find any site that has that as the standard (much less a social site, with so many inter-weaving connections), that isn't crammed down their throat by laws. Even then it's still hard to get (and keep) it correct 100% of the time, and stands in the way of making changes and new features, which are what keep social sites alive and competitive.
What one does this fall into?
At some point a developer coded in a resource that bypasses any privacy data, had it approved by management/coworkers (not sure what model they use) and published it live. I'm certain many people have been exploiting this longer than that forum post existed.