A new browser plugin claims to be able to exploit a loophole in Facebook’s system to display photos that would otherwise be hidden. In short: All those photos you think you’re hiding can be seen by anyone thanks to this thing.

PictureBook launched as a Chrome extension on Monday. It’s the work of Steven Goh, the developer behind the Javelin Browser for Android. The extension promises to “unblock and search for hidden pictures of anyone in Facebook.” Users don’t have to be friends for PictureBook to work; you just install it and click when you’re looking at someone’s profile.

Goh claims that the extension works thanks to a blind spot in Facebook’s current privacy settings. “Basically when you set your privacy, you are setting privacy for your own assets,” he explained. “However, if other people tagged you in pictures that are public, those can be found.

“Currently, Facebook removes all UI approach to prevent you from searching that. That means you can’t search public tagged photos of anyone via their website.” PictureBook works around the limitations to find photos that aren’t actually protected—just hidden from the standard search tool.

“What this extension does is that it crafts the search URL for all publicly tagged photos of anyone (which the victim has no control over), and shows it. Even if they are not friends.”

The extension does its dirty work through Facebook’s Graph Search, initially finding a user’s unique Facebook ID, then using the ID to to find photos uploaded by others that said person has been tagged in. If someone else uploaded the picture, it can be found—privacy settings be damned.

PictureBook

While exploiting the weak spots of major tech companies might seem like a heavy undertaking, Goh said it was a fairly simple exercise. “It was really a one-day project I built over the weekend.”

Why make the extension in the first place? “I built it primarily to raise awareness about such defects/loopholes with giant tech companies,” he explained.

Goh did offer up two tips as to how to avoid having unwanted photos show up in PictureBook or in other apps like it that aim to work around Facebook’s limited privacy protections. His suggestions are to “Disable tagging by other people” and “untag yourself in all public photos.”

For Facebook users, PictureBook is the manifestation of fears that came when Graph Search was first introduced. It’s been responsible for revealing information that was intended to stay under wraps, including outing users of Facebook apps and unveiling potentially sensitive information.

The possibilities of Graph Search presents new implications, both for users who host a wide array of content on Facebook and for the company itself, which has to decide if the powerful search feature trumps user privacy when providing results.

Facebook told the Daily Dot that it’s currently investigating the plugin.

Update 2:57pm CT, Dec. 29, 2014: According to Facebook Privacy Communications Manager Matt Steinfeld, PictureBook “isn’t revealing anything a person didn’t already have access to.”

We’re told that Goh is correct in that the uploader of a photo controls who that photo is shared with. But there are other ways on Facebook to find photos you’ve been tagged in–achieving the same result the extension. Both Search and Activity Log as ways to find the results that PictureBook purports to uncover.

Facebook says it is also possible to remove tags on Facebook itself, while it’s unclear whether the extension offers the same sort of control.

Illustration by Max Fleishman