According to CNET:
Hackers have turned their attention to Facebook's hundreds of independent applications. The results are not terribly surprising, but do not tell a good tale: app developers don't seem to know a thing about basic security, and are putting private user information at risk. As a result, malicious hackers are able to access and change what should be private user data managed by the application providers.
A very simple example is hacking Facebook username and password through static FBML. The hacker creates an application or a page that the user can find 'believable'. The user clicks on the page and checks the URL and the year the Facebook application/page was created. Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent and this way the hacker gets all the information he needs about the user.
According to the summary of 2600 article:
In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid (Facebook user ID) before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.
The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
Super Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's.
2. The user sifts through the URL and once found, they enter their username and password.
3. After hitting the button, the user checks the password and a page pops up stating a 'Thank you' message and a password rank page will popup.
4. When the user checks their email spam, there must be an email and it will ask the user to try their password again.
It takes a special mindset to think like a bad guy. Not everyone can switch into that mindset. For instance, I can't think of the number of times I had to tell developers on my team "It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code.
To Make Sure That Your Account Doesn't Get Hacked:
1. Don't click on a link from a person you don’t know.
2. Facebook is not going to ask if your password is strong or not.
3. Never trust any Facebook Applications.