When it comes down to it, this is an injection attack via web services.
Something us penetration testers see all the time. Fuzz the web application to grab information, and then craft or intercept/edit HTML packets from information we gather.
Don't over think the problem and develop conspiracy theories about this. I doubt the NSA or anyone else purposely coded in weak routines which can be exploited in many of the applications I've tested in the past year with similar vulnerabilities.
This is just a common problem which needs to be addressed through better coding practices and better testing.
Don't be too rough on developers. You'd be amazed at the turn over rate at some companies. This means you have new developers getting placed into large development projects which have been alive for years. Pretty soon, nobody is an expert on the entire mess of coded inhumanity.