I don't think that matters. "I hate travelling by air because the plane can crash" is a true statement for many people... but statistically, that's not the method of transportation that kills people.
The fact of the matter is... ACLs are hard to get right. It's even harder when you have various roles that can be checked against the ACL (logged in user, batch job, logged in user impersonating someone, etc.) . But in the end, complexity is what's scary, not some feature that depends on complexity.
> The fact of the matter is... ACLs are hard to get right
This sounds similar to different distros of linux. Some are security focused where nothing is allowed until it is explicitly allowed. Other distros try to be more "user-friendly" and pretty much everything is open.
Starting from a wide open starting point and then trying to batten down the hatches afterwards does seem to the harder way to do it, but that's exactly where FB is. They wanted everything open, and then had to decide to start limiting that data. FB was designed as a place to share info. If you posted it, you wanted to share it. I totally get that mentality. However, as devs, I can imagine that we have all built something that the end users use in a way not envisioned, and we've probably all had "you're holding it wrong" lines of thinking. Once you get to that point, you can alienate users by telling them to stop doing it that way or embrace what's happening, and then make it work for them. Seems like the perfect situation to where bugs can get introduced.
Which is why the point doesn't make sense. The article says tokens were leaked. There are plenty other places where such bug could happen, so it shouldn't serve as a strong validation of "User impersonation code always terrifies the bajeebus out of me".
(Not to mention it's not really user impersonation, it's just filtering your profile page based on computed access level of one of your friends.)
