Chinmoy Kanjilal points us to an analysis by John Graham-Cumming at http://blog.jgc.org indicating how vulnerable the Facebook mail system is. It is a bit technical, but the report that Facebook is taking this seriously suggests that the analysis and criticism are correct.
Of course, that leads to the obvious question: why did this have to be pointed out to them?