What you are seeing is called a Like Box that is run from the Facebook servers and can be put on any Web page by anyone with a Facebook account. Here’s the code from the FBPurity site - it’s 100% run by Facebook:
<iframe scrolling="no" frameborder="0" src="http://www.facebook.com/connect/connect.php?id=408502197558&connections=10&stream=0" style="border: none; width: 300px;height: 245px;"></iframe>
If your friends are showing up in the Like box that means that you have friends that have gone to the FB Purity Facebook page and clicked “Like” (previously “Become a Fan”). The Facebook application called from the site gets information from the Facebook cookie you have in your browser and of the 5000+ “likers” shows ones that are people you know.
How on earth do you think the Web site for this application you’ve never downloaded is able to get information about your Facebook account? It can’t. But the Facebook application, hosted by Facebook, on the Facebook server that is embedded on their page can.