I've never played games on Facebook, but I did once discover that, after I purchased a game on Android for my son, he was able to make in-app purchases without authorisation. Turns out Android didn't require re-authorisation for half an hour after making an authorised purchase, which can make sense in some situations, but is a terrible idea with in-app purchases for an app you just bought for your kid.
Fortunately they quickly refunded the money. I pointed out I wanted explicit authorisation for every purchase, and I think that's what Android now does.
I had similar issue with iOS.
I didn't disable in-app purchase and right after installing the game, my 6 year old spent $55 and when I got the receipt email a day later it was too late to reverse the transaction.
Lesson learned and in-app option turned off.
Fortunately they quickly refunded the money. I pointed out I wanted explicit authorisation for every purchase, and I think that's what Android now does.