According to the documentation here (http://developers.facebook.com/docs/authentication/). Your app secret should never be shared:
The app secret is available from the Developer App and should not be shared with anyone or embedded in any code that you will distribute (you should use the client-side flow for these scenarios).
Why? If it is accidently or otherwise publicly shared, could this be exploited?
What concerns should I have if this occurs? and what could somebody do with this information?
I would think I would be secure by the Site URL I have selected as being considered as part of the authentication process?
Thanks
The canvas URL is not used to verify requests made to the Facebook API. A malicious user can write his own application that uses your app secret to get a session with the security permissions of your app. This allows the attacker to steal all the data that your users have authorised your app to have access to, and perform all actions (wall posts etc) that users have authorised your app to perform.