Is there anything Facebook does that doesn't take the worst privacy-invading option?
The Login facility only needed to pass some form of unique ID (generated on the fly) by Facebook in order to achieve what the users think they're getting. Do any of them realise that Facebook has gone beyond this and given up their profile details (ie who they are)?
The first example (details accessed from a local database) is dodgy but, I suppose, not illegal. The second example, where the iframe is used to make another call on Facebook, looks suspiciously like an unauthorised access.
Scum, the lot of them - and that includes any site that goes beyond mere authentication and grabs profile data.