A server-side bug that Facebook just fixed meant that enabling the Photo Sync feature would let any app with access to your phone's photos see every single photo on your Facebook profile.
This security flaw was discovered by Laxman Mutiyah, the same good-guy hacker who spotted the last major Facebook flaw. For a quick refresher, that bug let anyone who knew the right URL delete any photo on Facebook whenever they wanted.
The newest flaw spotted by Laxman isn't quite as bad as that, I'm glad to say, but it's still risky. Photo Sync is a feature that you can enable in the Facebook app. It automatically uploads any picture that you take on your phone to Facebook's servers.
These pictures are uploaded as private, and you can jump into the app to change the ones that you want your friends to see.