I believe that there is a security vulnerability that provides users access to content on private user profiles. User story below:
1) While looking through photos onLukatimeline, I cam across a picture fromxxbigfootguyxxthat Lukacommented on in the past.
2)xxbigfootguyxxhas a private profile that does not allow user's to see his content, unless they have been approved as his friend. I am not on his friends list.
3) Upon clicking on the photo, I was able to access all of the photos in the corresponding album, even though I am not friends withxxbigfootguyxx.
I believe that there may be a permission's issue with the comment feature.