Applications in Facebook use the OAuth to communicate with the users and grand additional permissions. The user should click on the ‘Allow’ or ‘Accept’ button in order for the application to gain those permissions. A white-hat Hacker called ‘Nir Goldshlager‘ found a flaw that allow any application to gain access with full control to any Facebook account by exploiting the Facebook OAuth. This doesn’t require the user to click on any button, this is also skipped. He also created a video that demonstrates this for those who are interested to see how easy it is to gain full control to any Facebook account.
http://www.youtube.com/watch?v=UlF7TeRKzt0
Facebook: OAuth flaw allows full control to any account