Don't panic: Facebook has already fixed the problem. The developer, Nir Goldshlager, notified the social network about the issue and waited until it was resolved to go public with his discovery. He explained how it worked in a blog post published Saturday morning.
In the post, he says he was able to tweak the service OAuth, used by developers to obtain various permissions their apps need to run — for example, location data from your profile page. Goldshlager was able to manipulate OAuth so a visitor to a Facebook page could get full access — to inboxes, private photos and videos — with no expiration.
He notified Facebook's security team and the security flaw has been fixed. He adds, though, that many parts of the exploit stopped working if the affected user changed the account's password.
Watch the video above to learn more. You can read Goldshlager's full post here.
Image via iStockphoto, skynesher