We suggest that you read a late July 2010 post by Robert Abela from Acunetix, regarding a discovered XSS on Facebook which could lead to account hijacks:
Acunetix team have produced a high quality video demonstrating the vulnerability:
Furthermore, you should read their detailed technical explanation of the issue, describing the impact that cross-site scripting vulnerabilities could have on social networking sites.
The vulnerability is now fixed according to Acunetix:
"We notified Facebook about this instance of cross-site scripting vulnerability and would like to thank the Facebook Security Team for quickly fixing this security hole."
During the same period, another critical Facebook XSS also came to light... It was submitted to our archive by web security researcher nicknamed "AKABEY" and still appears to be working. Malicious users can exploit it to hijack the accounts of hundreds of millions of unwitting Facebook users and to infect them with malware, spyware and adware.
