So, you're authenticating yourself, and searching other non-publicly-searchable people's ID? Or you're authenticating, searching your own, and seeing people who don't list themselves as public? Or, you're seeing people who aren't public, but in your friends list, and you're publicly searchable?
If it's the first, then that's definitely a problem, as anyone can be a FB user. In that case, care to post the command somewhere? This should be made known, as it's definitely a privacy concern, and FB tends to do nothing unless threatened.
Ouch, it is the first option; if logged into facebook it seems you can see any old friends list (including ones you can't normally see). The "command" is just to go to the URL in the shell command in your authenticated browser (or to faff about with cookies if you want to use lynx/wget/curl).
FB also removed the option to completely opt out of their application API at the same time they messed this up. Not impressed.
That does it, I'm off FB for good. Not for any real feelings of invasions of my privacy, it's just because they're careless and/or practically malicious.