Facebook Mobile App Account Takeover Vulnerability Due to Insecure Random Number Generator and XSS in JS SDK

The post describes a vulnerability in the Facebook mobile app caused by the use of a cryptographically insecure random number generator (Math.random()). This flaw, combined with a cross-site scripting (XSS) vulnerability in the Facebook JavaScript SDK, enabled account takeover. The author explains how these two issues were exploited to bypass security protections. The report also details the reproduction method and the technical steps involved.