It turns out that Facebook’s idea of security is bullshit. Besides all the recent problems with 3rd party apps, you can also bypass photo security be simply deleting one of the URL parameters. Basically, if you look at a picture in an album, and you want to see the other pics in that album, but don’t have permission, you just delete the “&Subj=#########” parameter from the URL. Then you can see the whole album.
I’m not posting this to help all the Facebook stalkers out there. The point is that if everyone finds out about something, Facebook is more likely to fix it. This is not exactly nuanced, expert hacking we’re talking about. It shouldn’t be this easy.