Conflict of interest
I looks like FB are, not unexpectedly, in the wrong w.r.t. privacy and handling the "feature" both before and after exposure. The young man in question, however, should have realized that he was facing a conflict of interest (do they teach that at Harvard?). A responsible thing would be approach the (prospective?) employer, disclose the issue and the exploit, ask what the employer's position on public disclosure would be (the expected "don't even think about it" and the more reasonable "thank you, give us 30 days, we'll fix it and publish it, crediting you" would be among possible responses), and then decide whether to go public against FB's will or accept the internship offer, sign the confidentiality clauses, and keep mum. It would be clear then that the first choice, while, arguably, admirably ethical, would be incompatible with the expectation of employment. As far as I understand, the guy went ahead with public disclosure without even approaching his prospective employer. He may feel ethically in the right, but he should have realized he was closing any doors a FB for himself. Not a huge loss, if you ask me, but then don't make it an issue.
The guy clearly shows technical ability and some aspects of commitment to ethics. However, I probably would not hire him, either. I would expect from an employee who finds an issue with my company's product to work internally to resolve it (and to disclose the conflict of interest regarding the ethical responsibility). And if the issue is not resolved to his/her satisfaction, then don't expect to remain employed if you break a confidentiality clause, even for a good reason. If you get fired for it then you may think the employer acted unethically, but that's still a breach of contract. (Do you want to be employed at an unethical company, by the way?) I would not hire someone who is likely to publish stuff on a personal blog without going through internal channels first.
So, while I share everybody's sentiment about FB's attitude to privacy in general and in this case in particular I cannot fault them for withdrawing the internship offer.
NB: Whether or not the internship is paid or not, and whether or not one is employed or just offered employment, and whether or not a contract (and confidentiality clauses therein) has been signed or not is, IMHO, immaterial w.r.t. the conflict of interest question.