Yesterday, a slew of Instagram accounts, including some high profile ones like the Obama White House account, seemingly got hacked.
Look, I’m no spring chicken. I’ve spent almost a decade and a half identifying vulnerabilities and exploits at unicorn scale, but this is hands down the most unserious, "almost too stupid to be true" of them all.
The Takeover Flow #
Step 01: Faking the Location & Initiating Support
All the attacker needs to kick this off is your account username. Then, they hop on a VPN or proxy close to your city so Instagram's security algorithms don't suspect a thing. (You can quite easily get this from your public profile or "About" section or a hundred other ways.) Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control.Step 02: That's It
Really, that's it. The first proper zero auth password reset I've seen in production. There appears to be no additional check as to whether the email being given is actually something the user has used before. Once the AI sends the security code to the attacker's email, the attacker passes it right back to complete the verification. The platform hands over a fresh password reset link, granting full ownership to the attacker.
Instagram's AI may or may not ask the attacker for a video selfie to prove identity. It's not particularly discerning at the moment, so something as simple as an AI animated public photo from the target's feed has been widely reported to work.
2FA Doesn't Help #
In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.
Existing sessions are revoked and the password changed with no email, text, or push notification. The actual owner can't initiate recovery because the email and phone numbers now map to the attacker. There's no human to escalate to, it's just you arguing with a chat hoping to take control back while praying they don't do it again.
And if you're part of the A/B tested accounts on which the AI support option is active, tough luck, you can't even turn it off.
Black Markets Galore #
Multiple black market Telegram groups have sprung up offering "account takeover" services at steep rates and quick turnaround times. Considering short handles are worth hundreds of thousands to even millions of dollars, it's not a surprise, really.
Accounts have been flipped, like hey
, or been used for propaganda, like obamawhitehouse
or ocmssf
, the account of the Chief Master Sergeant of the U.S. Space Force.
Patched Now #
All the Telegram groups have quieted down as Meta seems to have patched it already, but it appears this particular method was active for weeks, if not months.
The very fact that a $1.5 trillion company lacks robust guard rails and their support AI will just change anyone's linked email if you ask it nicely enough is so terrifying, if it weren't so funny.
If you've reached this far, thank you for reading! :) I thought multiple exits and retiring in my mid 30s would be fun but I've just been bored and depressed without morning Slacks and emails to wake up to. If you’re building something interesting and could use an extra set of hands to ship, or just want to say hi, feel free to reach out. My inbox is open.