Of course real, rock-hard security is hard to get right.
But it seems to me that the issue here is that some common sense security measure wasn't employed. The author didn't even think about what APIs he/she exposed. That's very different (and more irresponsible) than not designing a competitive and solid security system up front.
But it seems to me that the issue here is that some common sense security measure wasn't employed. The author didn't even think about what APIs he/she exposed. That's very different (and more irresponsible) than not designing a competitive and solid security system up front.