The article highlights a serious security vulnerability in the Facebook JavaScript SDK that could allow account takeovers in the Facebook mobile app. The issue stems from two main problems: the use of a weak random number generator (Math.random()) for generating callback identifiers and the presence of a cross-site scripting (XSS) vulnerability in the Customer Chat plugin. When a website integrates Facebook plugins, it relies on these identifiers for validating messages exchanged between the website and the embedded plugins. However, since Math.random() is predictable, an attacker can potentially guess these identifiers after observing a few outputs. The XSS vulnerability makes things worse. The SDK accepts messages from the Customer Chat plugin and injects data directly into the DOM without proper sanitization. An attacker can exploit this by sending messages that contain malicious code. Although the SDK has checks to ensure messages come from Facebook's domain and include the correct callback identifier, the reliance on Math.random() for that identifier compromises its security. If an attacker can observe enough outputs, they could reconstruct the internal state of the random number generator and forge valid identifiers, creating a pathway to inject malicious scripts. The article provides insights into how the SDK can be manipulated. By forcing reinitialization of the Facebook plugin iframes via specific messages, an attacker can generate multiple outputs from the PRNG, further increasing their chances of predicting valid identifiers. This manipulation requires that the attacker control the top-level browsing context, but if they can embed the target site in an iframe, they can read the generated iframe names and exploit the vulnerability. The combination of these factors presents a significant threat to user accounts and the integrity of third-party websites using Facebook's SDK.