Facebook JavaScript SDK and Facebook plugins (Math.random ca...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://ysamm.com/uncategorized/2026/01/17/math-random-facebook-sdk.html
• Blog Title: Facebook JavaScript SDK and Facebook plugins (Math.random callback prediction → Customer Chat DOM XSS → account takeover)
• Suggested Section: Pentesting Web -> PostMessage Vulnerabilities (and/or Pentesting Web -> XSS (DOM XSS) with a subsection on postMessage/event-bus bridges; optionally cross-link from XS-Leaks/window.name side channels)

🎯 Content Summary

This post is a Meta bug-bounty write-up showing how a DOM XSS sink in the Facebook JavaScript SDK’s Customer Chat message handler can be turned into a practical Facebook account takeover (ATO) in the Facebook mobile-app webview by chaining: (1) a Facebook-origin message-sending primitive, (2) prediction of a “shared secret” callback generated with Math.random(), (3) a side-channel leak of PRNG outputs via iframe window.name, (4) forced regeneration of iframes to obtain ...

🔧 Technical Details

1. Event-bus / postMessage bridging as an XSS trigger surface: If an SDK forwards cross-window messages into an internal event bus using attacker-controlled fields (e.g., g.inform("xd." + a.type, a)) and then a privileged subscriber injects message fields into the DOM (e.g., d("sdk.DOM").html(node, a.iconSVG)), an attacker who can craft a message that reaches that subscriber can trigger DOM XSS by placing HTML/JS gadget payloads in the injected field (e.g., URL-encoded <img onerror=...>).
   
   2) Breaking “shared secret” postMessage validation built on Math.random(): If message authentication relies on a token derived from Math.random() (e.g., "f" + (Math.random() * (1<<30)).toString(16)...), and the attacker can observe several outputs from the same PRNG instance, they can use constraint solving (e.g., Z3 against V8 PRNG) to recover/predict outputs and forge valid tokens. If the system emits...

🤖 Agent Actions

Summary:

• Added a new subsection on abusing Math.random-derived callback tokens in postMessage bridges, covering window.name PRNG leaks, forced reinitialization for extra outputs, parameter-pollution delivery from trusted origins, solver-based prediction, and DOM XSS trigger flow.
• Included a minimal forged message example demonstrating callback reconstruction and payload delivery through a trusted plugin endpoint.
• Updated references with the Facebook SDK writeup and V8 Math.random predictor resource.

Files Modified:

• src/pentesting-web/postmessage-vulnerabilities/README.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://ysamm.com/uncategorized/2026/01/17/math-random-facebook-sdk.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> PostMessage Vulnerabilities (and/or Pentesting Web -> XSS (DOM XSS) with a subsection on postMessage/event-bus bridges; optionally cross-link from XS-Leaks/window.name side channels)".

Repository Maintenance:

• MD Files Formatting: 939 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0