In this age of web and mobile applications, fat clients sound practically outdated. They are, however, still in frequent use. Consider Windows and Mac applications, but also, for example, Java applications running within a browser.
It is usually quite tricky to abuse a fat client. However, once an attempt at doing so has been successful, these fat clients often turn out to have some gaping security holes. Reverse engineering or debugging sometimes bring to light major issues, such as complete reliance on the client without any serverside verification, which is a very bad idea!