If something can be hacked, it probably will be hacked. So when a prominent Nokia engineer (and former Microsoft employee) says that Windows 8 web apps are highly susceptible to security breaches, one can only assume that they will be breached in just time.
Here is Ars Technica with some of the specific security holes:
Some of the problems Angel highlighted were time-honored techniques used to subvert developers’ design decisions. For example, the game Ultraviolet Dawn has an in-game currency. Players use this currency to buy various upgrades for their spaceships. The prices of the various upgrades are all stored in data files that form part of the game. These data files can be edited, making the upgrades cheaper, and hence making the in-game currency go a lot further than it normally would.
Modifying game data to make items cheaper isn’t a new attack, and is far from unique to Windows 8. The widespread use of XML to store this kind of data might make Windows 8 apps a little easier to modify than software of old—no need to patch binaries in a hex editor when you can just use Notepad—but that’s a minor detail.
A similar attack was used to remove the in-game ads from Microsoft’s own Minesweeper. Most Windows Store apps have their interfaces written in XAML, Microsoft’s XML language for user interfaces. These XAML files are stored as plain text as part of the application package and, like Ultraviolet Dawn‘s data files, they can be freely modified in Notepad. Editing Minesweeper‘s XAML allows the ad panel to be hidden from view. Removing it entirely might break the application, but hiding it is harmless and serves the purpose for the most part.