Shlomo Narkolayev discovered that websites like Facebook and many others "protected" websites are vulnerable to ClickJacking attack.
Shlomo have informed some mass users websites like Facebook with his findings.
Here is Facebook response:
Our team looked at this. It's standard clickjacking and not unique to Facebook. We're building some additional protections for these types of attacks and reminding people to be cautious of any message, post, or link they find on Facebook or elsewhere on the Internet that looks suspicious.
"This demo video presenting how can I fool Facebook users to add applications to their account."
"I could write malicious application that steals users personal info or even simple application that build for me a bot net users for malicious purposes like hacking systems for SQL Injections and DDOS attacks.
Using ClickJacking i also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that posting their web camera and microphone every time they connected to Facebook - Just use your imagination on what you want others to click on...Transfer to you poker chips???"
Here's the online demo (Click here).
Using this demo you can check if your website is vulnerable to ClickJacking attacks. If you were able to click on links and buttons and other active objects in the hidden iFrame - so your website is vulnerable.