Instagram Security Flaw Exploited AI Chatbot to Hack Accounts
En resumen
Instagram fixed a security issue where hackers used Meta's AI chatbot to gain access to user accounts by tricking it into sending verification codes to hacker-controlled emails.
Resumen generado por IA
Por qué importa
A security vulnerability on Instagram allowed hackers to compromise user accounts by exploiting Meta's AI-powered support chatbot. The attack involved tricking the chatbot into sending verification codes to hacker-controlled email addresses, bypassing the need to access the victim's legitimate email.
Instagram has resolved a security issue that allowed several users’ accounts to get hacked. The attack appeared to rely on tricking Meta’s own AI-powered support chatbot into granting access to a victim’s account.
Over the weekend, several users on Reddit claimed that their Instagram accounts had been compromised, and a number of users on X warned of similar account hijackings. The compromised accounts include the Instagram handle for the Obama-era White House, which appears to have been inactive since 2017; and the account of the U.S. Space Force’s chief master sergeant John Bentinvegna.
Security researcher Jane Wong said her Instagram account was also taken over.
“The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” said Wong. “Quite concerning.”
A video posted on X showed the step-by-step process to hack someone’s Instagram account. The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections. Then, the hacker opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot can be seen sending a verification code to the email address provided by the hacker; the hacker then shares the verification code with the chatbot, which prompts the chatbot to show a button to “Reset Password.” The hacker enters a new password and takes over the victim’s account.
TechCrunch was able to verify that the hacker’s public email mailbox, which was displayed in the video, effectively received the verification code.
The attack relied on the fact that at no point the hacker had to take over the legitimate email address linked to the victims’ Instagram account.
On Monday, Instagram spokesperson Andy Stone said in a reply to Wong’s post and others that the issue was now fixed. It’s unclear how many Instagram users had their accounts improperly accessed.
Meta did not immediately respond to TechCrunch’s request for comment.
Qué observar
Perspectiva de IA — posibilidades, no hechos
Meta will likely implement enhanced security protocols for its AI chatbots and account recovery processes.
Muy probable · En semanas
Preguntas abiertas
- How many Instagram users had their accounts improperly accessed?
- What specific vulnerabilities in the Meta AI Support Assistant were exploited?
- Were there any other methods used by hackers besides the AI chatbot exploit?
- What measures is Meta taking to prevent similar incidents in the future?
