On the one hand, Mangham definitely didn't have prior authorization. His actions were illegal, regardless of his intentions.
On the other hand, Facebook's long-term security has been dramatically weakened. Now, anybody who finds a vuln in Facebook isn't going to report it for fear of doing jail time.
Sounds like a fuck-up for everyone involved.
Or you know you follow Facebook's procedure for their bug-bounty program: https://www.facebook.com/whitehat/bounty/ Paying special attention to the following section:
Exclusions The following bugs aren't eligible for a bounty (and we don't recommend testing for these): Security bugs in third-party applications (e.g., http://apps.facebook.com/%5Bapp_name%5D) Security bugs in third-party websites that integrate with Facebook Security bugs in Facebook's corporate infrastructure Denial of Service Vulnerabilities Spam or Social Engineering techniques
If you want to test any of those, you do what practically any book on "ethical hacking" ever states and you get prior authorization.