Meta AI Support Chatbot Exploited in Instagram Account Hijacking Campaign
Key Takeaways
- ▸Attackers exploited Meta's AI Support Assistant to reset Instagram passwords without access to the victim's actual email account
- ▸The vulnerability affected high-profile accounts including government institutions and security researchers
- ▸The flaw relied on the chatbot's willingness to authorize password resets based on verification codes it had itself sent, creating a dangerous loop
Summary
Meta's Instagram platform experienced a security breach where attackers exploited the Meta AI Support Assistant chatbot to hijack user accounts, including high-profile accounts like the Obama-era White House Instagram handle and U.S. Space Force accounts. The attack leveraged the AI chatbot's ability to process password reset requests without requiring verification through the victim's registered email address, allowing hackers to add a new email to targeted accounts and gain control.
Security researchers, including prominent security researcher Jane Wong, demonstrated that the exploit involved using a VPN to spoof the target's location, then tricking the AI chatbot into sending verification codes to attacker-controlled email addresses. The chatbot would then authorize password resets based on these verification codes, effectively bypassing account security measures. Meta confirmed the vulnerability was fixed on Monday, though the full scope of compromised accounts remains unclear.
- Meta has patched the issue, but the incident raises concerns about AI chatbot security in account recovery systems
