Facebook applications are fairly complex creatures. They interact with your account information and user page to do pretty much anything. They can modify the DOM, query information about the user's account, and do other things.
Most interestingly, however, Facebook allows you to do this by executing your code on *.facebook.com. What this means is your code has privileges to do whatever any of Facebook's code can do -- if you can make it happen. Interactivity occurs through FBJS, a JavaScript-alike language created by Facebook, which is sanitized to prevent your app from doing anything "bad".
Is the sanitization sufficient to prevent exploits? If you're familiar with JavaScript, it's actually better than you might initially expect. However, it has had holes in the past, and it presumably still has holes. This class will examine the FBJS security model, holes it's had in the past and how they could have been exploited, and current and in-development JavaScript sandboxing mechanisms.
Jeff Walden — sipb-iap-facebook at mit dot edu