Question: Why show you a facebook security exploit? Answer: So you get scared, and do something about it. Scenario: Your albums are completely open to be viewed by everyone, not just people on your friends list. No programming or scripting is necessary. You can do it all in seconds by hand. Let me explain: So we all know about the 'View photos of Dave (140)' link which appears under your name in your profile. People can click on this link and they have permissions to view pictures tagged of you, as long as they are your friend. Seems reasonable, right? If a picture of your friend appears in someone else's album, even if you are not a friend of the person who took the photo, you can see that one picture of your friend through this link. For example. If you click on my profile, then photos of dave, and click the first photo of me tagged by others, you will arrive at: http://mun.facebook.com/photo.php?pid=1121004&op=1&view=all&subj=106500304&id=641290203 When you click on "NEXT", you will be taken to the next chronologically tagged picture of me. You have no access to the rest of the pictures in the album from which that picture was taken, unless you are the taker's friend, right? Absolutely wrong. First, we take a look at the way the URL string is formed for viewing photos: http://mun.facebook.com/photo.php? This tells facebook to load the photo.php page, onto which it will display the picture which the arguments passed into the URL tell it to. Those arguments (which matter) are as follows: pid=1121004 The photo ID which facebook uses to store the photo in its databse. Not very important at this time. &subj=106500304 This tells facebook that inside this photo is a tagged picture of 106500304, which in this case happens to be me. Facebook stores you as a number, not a name. Everything about you only has meaning inside this number. This number gives you, as my friend, permission to see this photograph that has me tagged in it. &id=641290203 This is the owner of the photograph. This photo is inside an album owned by this person. You'd think the security lied inside this number... lol So what you did when you typed the URL into the bar was say, hey facebook, show me photo 1121004, which I have permission to view cause 106500304 is tagged in it, which 641290203 happens to own. So lets try an experiment. Remove the "&subj=106500304" part from your address bar, then hit ENTER. Congratulations, you hacker... you are now inside that person's album. Hitting the "NEXT" button will now allow you to browse the entire album of that person, even if their profile name and album name are grayed out. Why? Because apparently this is all it takes to switch from 'Looking at pictures of my friend Dave' to 'Looking at album in which the picture is stored'. So to repeat, the steps: 1) Find a picture your friend is tagged in 2) Remove the "&subj=XXXXXX" from the URL, hit enter 3) Click next, enjoy the album!