With a network of over 110 million users, Facebook represents a high-profile target, both for cybercriminals and for security companies.

For the former, finding a Facebook vulnerability promises greater exposure for malware; for the latter, finding a Facebook vulnerability promises greater exposure for security software.

Last week, the U.K.'s The Daily Mail posted photos of two bikini-clad 19-year-olds, American fashion student Andrea Feick and her British friend Hannah Emerson, posing with U2 singer Bono and musician Simon Carmody in St. Tropez, France.

Typical tabloid fodder, but for the fact that the photos didn't come from a paparazzo; they were posted on Facebook by Feick and Emerson. Because nothing else of note was happening in the world, the photos became news.

Graham Cluley, senior technology consultant for Sophos, a U.K.-based security company, believes Facebook's privacy mechanics deserve some of the blame. In an online post, he notes that "joining a geographic network automatically opens up the user's whole profile to every other member of the network, no matter how stringent your previous privacy settings."

"The only problem was that American fashion student Andrea Feick was a member of the New York geographic network on Facebook, meaning that her profile was open for over a million people to view," said Cluely in a separate post. "Of course, this could all be very innocent and the girls could be family friends -- but that didn't stop the newspapers making hay about what Bono might be up to away from his wife Ali."

Thus, Cluley suggests, Feick's membership in the New York group on Facebook could have changed her privacy settings from allowing "Only Friends" access to her Facebook pictures to allowing "Networks and Friends."

Based on The Daily Mail's report, it's not clear whether the two women intended to share their photos as widely as they did. They may well have posted them without thinking about the impact that tabloid insinuations might have on their pictured companions.

Indeed, Facebook spokesperson Barry Schnitt argues that Cluley is barking up the wrong tree. He said that when a Facebook user uploads pictures, the pictures are governed by a separate privacy control that has nothing to do with one's group membership. "Whatever setting these girls put on these photos is honored," he explained.

Michael Argast, a security analyst at Sophos, conceded, "Facebook does a reasonably good job of providing privacy controls."

Nonetheless, he insisted that Facebook needs to do a better job making its privacy controls clear to its users. He said that like privacy policies on Web sites, most people don't understand privacy settings. "People end up leaking more information than they intended," he said.

While privacy issues tend to be difficult to assess, due to the fact that the absence of privacy often presents only a theoretical risk rather than an actual loss, security issues present a clearer threat for Facebook and its users.

Fortinet, another security company, on Tuesday identified a Facebook worm that is Google Reader and Picasa to dupe Facebook users into watching a malicious video file. The worm travels as a Facebook message and prompts recipients to watch an online video. In an attempt to appear more credible, the worm points to video embedded in a Google Reader or Picasa page.

"It appears that cyber criminals behind the Facebook worms registered Google Reader accounts (either manually, or automatically via phishing operations or automated captcha solvers) for the sole purpose of loading them with links to malicious sites," said Fortinet researcher Guillaume Lovet in a blog post. "Indeed, upon clicking on the tempting video frame seen in the News Reader..., the victim is redirected to a classic fake-codec (W32/Zlob.NKX!tr.dldr), Trojan-enabled site."

Schnitt said that Facebook was aware of this particular worm and it working to remediate it. He said that only a small percentage of users have been affected. He characterized security issues as "an ongoing battle," and pointed to some of Facebook's security practices. There's automated monitoring and industry cooperation, of course. In cases where user posts appear to be suspicious, Facebook will add a CAPTCHA test that must be passed to publish the post, he explained.

"The bad guys go where the users are," said Schnitt.

And where bad guys go, security companies are sure to follow.

This article was edited on 10/30 to correct the spelling of Michael Argast's name.