--
It seems that Facebook scams have been in the news a great deal recently: from the password-stealing phishing attack in April to the FBAction scam the following day to the "justfuns" scam early this month and the "ponbon" scam today. Twitter hasn't been immune to attack either: numerous variants of the "mikeyy" worm took over user accounts last month, posting unwanted Tweets in user streams.
Are these attacks anything new? Not at all, and you could make the case that this new generation of social networks is somewhat more secure than what went before them.
The MySpace Days
Even without malicious scripts, this was easily done: just create a fake MySpace login form and place it on a MySpace page, then wait for a few hundred users to enter their details and add the form to their pages too. MySpace had to severely limit this "custom code" feature to prevent these attacks, which destroyed the functionality of many MySpace add-ons, and thus the ecosystem around MySpace.
Facebook and Twitter Attacks
Facebook isn't nearly as vulnerable to XSS attacks since embedding code in your page is not a major part of the experience. The biggest Facebook attack so far - the Koobface worm (artist's impression above) - instead relied on users clicking a link in a Facebook message and visiting a site to download a file. Other attacks relied upon users entering their Facebook login details on third party sites.
Twitter, however, was vulnerable to XSS attacks because hackers realized that you could place rogue code into the "location" field of a profile - this was a major security hole since it required nothing more than visiting a page to get your account compromised. In addition, Twitter's viral nature dramatically increased the speed the attack was able to spread at. However, Twitter now claims to have closed this hole.
Facebook is also much safer than email: when a phishing link is found, Facebook can disable it centrally, removing it from all messages across the site. The difference is that we've learned to be cautious about links in emails, while we've learned to be very trusting of links in Facebook messages from friends. The Facebook threat is a trust issue, not a technical one with the Facebook site.