[peteforde]

For clarification, it's not a Facebook developer account. This is just a dummy account I've been using to verify the social graph headers are working when I post pages from an unrelated project. It's technically against FB policy to have an account that isn't a real person. This dummy user has no friends; my human friend has not interacted with it in any way.

I did post a partial screencap elsewhere in the thread. I'm not comfortable creating a video but I would be happy to provide further details to FB security folks.

For what it's worth, part of the reason I posted to HN was that it's clear to me that this is intended functionality. Bugs don't usually say "welcome back".

I believe that the risk associated with this feature dramatically outweighs the upside.