A server-side bug that Facebook just fixed meant that enabling the Photo Sync feature would let any app with access to your phone's photos see every single photo on your Facebook profile.
This security flaw was discovered by Laxman Mutiyah, the same good-guy hacker who spotted the last major Facebook flaw. For a quick refresher, that bug let anyone who knew the right URL delete any photo on Facebook whenever they wanted.
The newest flaw spotted by Laxman isn't quite as bad as that, I'm glad to say, but it's still risky. Photo Sync is a feature that you can enable in the Facebook app. It automatically uploads any picture that you take on your phone to Facebook's servers.
These pictures are uploaded as private, and you can jump into the app to change the ones that you want your friends to see.
Paul Ducklin explains how Photo Sync made Facebook users vulnerable:
Laxman's bug was the fact that apps other than Facebook's own could read those synced photos back from the cloud. Obviously, if you've authorised an app to access the photos on your device, you have already accepted the risk of allowing that app to do unsavoury things with private snapshots you might take.
The Photo Sync bug just gave more apps with access to your phone's photos access to your phone's Facebook photos too. Now, normally I'd tell you to go out and grab a patch right away, but you don't have to do that today.
The bug was entirely server-side, and Facebook quickly patched its hole. If you're a Photo Sync lover, then feel free to keep it enabled.
If you're concerned about your privacy on Facebook, then you'll definitely want to check out these five privacy features that can keep you off the radar.