Meta's AI Support Feature Exposes Instagram Accounts to Hijacking Vulnerability
Key Takeaways
- ▸Instagram's AI support feature can be exploited to bypass account security and send password reset codes to attacker-controlled email addresses
- ▸Over 100 high-value Instagram accounts have already been hijacked using this vulnerability
- ▸The exploit is widely known in blackhat circles and actively being used to compromise accounts
Summary
A critical security vulnerability in Meta's Instagram AI support feature has been exploited to hijack over 100 high-value accounts, according to a disclosure on Hacker News. The flaw allows attackers to bypass account security by requesting password reset codes through the AI support agent, which can be tricked into sending the code to an attacker-controlled email address.
The exploit involves using a VPN or proxy to appear to be in the account's region, then requesting a password reset code from the AI agent and receiving it at a controlled email address. Once the attacker has the password reset code, they can use it to sign into the account and change credentials, effectively hijacking it. The vulnerability has been known for at least several days and is actively being exploited in blackhat circles, with the attack methodology widely shared on Telegram and other platforms.
The disclosure calls for Meta to immediately disable the AI support feature until the vulnerability is patched, and to restore hijacked accounts and usernames to their rightful owners. This represents a significant security flaw in Meta's AI systems that affects the safety and privacy of Instagram users.
- Meta should disable the AI support feature entirely until the vulnerability is fixed and restore compromised accounts
