The hacker is not convinced of the efficiency of Facebook's defenses either. "Analyzing applications based on velocity is awesome against worms and malware that spread rapidly. However, if a single user is the desired target, it does not help so much. An attacker could easily trick the target into running a single malicious app," he said.
Facebook's application platform has long been a source of privacy and security risks. Earlier this year, it was discovered that many apps, even top ones, were sharing and in some cases selling user ids to advertisers. This allowed them to build profiles used for behavioral advertising.
Earlier this week Trend Micro reported an incident where attackers managed to serve drive-by download exploits through malicious ads displayed in a legitimate app. These are clear indications that Facebook can't guarantee a good behavior from every app on its network and the overexposed APIs are just one more thing ill-intentioned individuals can exploit.