Chris Soghoian has an interesting article about how a number of application developers are failing to protect against extremely basic security risks. For instance, a user can monitor all post and get requests (a system for passing data from a form which prompts users for information) coming from an application form and modify it prior to submitting the data to the application server.
The result is that hackers could theoretically spoof their identity. This is an issue that most websites are also vulnerable to. Not only are these applications vulnerable to potential spoofing attacks but occasionally they are at risk of typical SQL injection attacks. The experienced developer will build these protections into their scripts.
Given that many of these applications aren’t built by experienced developers though, there is an increasing risk that sensitive data gets manipulated. Personally, I think there are enough protections in place on Facebook’s end but the Surveillance State team is trying to paint a different picture.
I’m sure we will occasionally see an application get exploited but for the most part, Facebook has done a pretty good job in protecting against security risks.