"Today, we learned that certain photos could be viewed by unauthorized users who employed a complicated hack," a spokesman wrote in an e-mail. "Once we were notified of the issue, it was resolved within hours. These photos are no longer available to unauthorized users. We encourage security researchers examining Facebook to practice responsible disclosure."
Basically, someone who knew the serial number of a Facebook user, which is easy to get, and knew a trick for rejiggering the URL, could see private photos of that user. Small photos could also be changed to display in a larger size. The vulnerability only could be exploited with Firefox browsers.
Source : CNET
