If I copy the URL for a shared or private image from sites like fbcdn.net or googleusercontent.com and open it in a logged out session, the images appear.
Shouln't this return a 403 forbidden error (like Dropbox) instead of giving a malicious user access to private content?
This is called capabilities-based security and it's a good option when you have highly distributed shared content.
All users that require access are given a unique URL which is equivalent to a token.
The drawback is that if the "token" is leaked unauthorized users will be allowed to access the content, but the scope can be limited by expiring the tokens, and in any case it's used for semipublic content only.
Also, for social network content like images the mechanisms by which the tokens can be leaked is the same mechanisms by which the images themselves can. The token is not guessable (or at least shouldn't be)
I believe the answer here is official by Facebook.
