Facebook's swift app development has been marred by security vulnerabilities, specifically an account takeover issue stemming from the usage of cryptographically unsecure random number generators (RNGs) and cross-site scripting (XSS) flaws within their JavaScript Software Development Kit (JS SDK).

Facebook Plugins: A Gateway to Vulnerabilities

Meta provides a range of embeddable plugins, including the Like button, Customer Chat plugin, and Feedback plugin. These plugins are hosted on www.facebook.com and designed for integration into third-party websites using iframe elements. The typical integration flow involves initializing the Facebook JS SDK, dynamically creating an iframe pointing to a plugin endpoint, and implementing communication between the host website and the plugin iframe.

Random Number Generation: A Security Concern

To validate incoming postMessage events, the Facebook JavaScript SDK relies on a callback identifier generated at runtime. This identifier is treated as a shared secret between the host page and the embedded plugin iframe, required for message acceptance. However, tracing the generation of this identifier reveals that it is produced by a non-cryptographic pseudo-random number generator (PRNG) – Math.random(). This introduces a critical trust boundary violation, as a value used as an authentication primitive for cross-origin messaging is generated using a mechanism that provides no unpredictability guarantees against an active attacker.

Unpredictability and Security

Math.random() is implemented as a deterministic PRNG whose internal state evolves predictably. While sufficient for non-security use cases (UI randomness, sampling, etc.), it is explicitly unsuitable for scenarios where unpredictability is relied upon for security decisions. In this case, the callback identifier functions as:

  • A message authentication token
  • A gatekeeper for privileged SDK message handlers
  • The sole barrier preventing arbitrary message injection

Once an attacker can observe a sequence of outputs from the same PRNG instance, the internal state can be inferred. This allows the attacker to:

  • Predict future outputs
  • Reconstruct recently generated past values
  • Forge valid callback identifiers without guessing

The security of the entire message validation mechanism therefore collapses if PRNG outputs can be observed.

XSS Flaws in Customer Chat Plugin

Reviewing the Facebook JavaScript SDK revealed that it registers a cross-window message listener for messages coming from the Customer Chat plugin iframe. This setup handler/subscriber functions for events, including one that forwards incoming messages to an internal event system and sends an event with the incoming message type. When the event "xd.mpn.setupIconIframe" is received, the function $CustomerChat20 is invoked with attacker-controlled data.

Exploitation: A Pathway to Account Takeover

At this stage, exploitation appears impossible due to two constraints:

  • Messages must originate from www.facebook.com
  • The attacker must know the random callback string

However, by identifying a specific endpoint and injecting arbitrary messages without sanitization, the security of the entire system is compromised. This allows for account takeover in Facebook's swift app development.

Conclusion

The usage of cryptographically unsecure RNGs and XSS flaws within Facebook's JavaScript Software Development Kit (JS SDK) has led to an account takeover issue in their swift app development. By identifying these vulnerabilities, developers can take steps to ensure the security of their applications and prevent potential breaches.