Now this is pure theory from me right now, but if the user is just, say, your basic Joe who uses facebook daily, then there are a number of different man-in-the-middle attacks you can do. If you control a server that he connects to (in our example, that would be the facebook server) then you can just set up a script to wait specifically for Joe and give him a malicious copy of the facebook webpage when he requests it, which will hack him without him ever knowing it. You can also set up a free sub-domain with a proxy on it with the same kind of script which will, again, hack our Joe. Similar thing can be done if you control a server / router through which he is connecting. If you just happened to be on the same network as him, maybe you can do some fancy packet injection? Dunno.