“The newest Instagram “exploit” is the goofiest I’ve seen”

A security researcher reported that attackers are exploiting Meta's AI support system to hijack Instagram accounts, including high-profile ones like the Obama White House account, by simply providing a username and requesting verification codes be sent to an attacker-controlled email address. The exploit requires no additional verification steps, as the AI processes the request based on the user's location data obtained from public profiles. The vulnerability highlights the risks of relying on AI systems for security-critical functions, as the AI is operating exactly as designed.

Yesterday, a slew of Instagram accounts, including some high profile ones like the Obama White House account, seemingly got hacked. Look, I’m no spring chicken. I’ve spent almost a decade and a half identifying vulnerabilities and exploits at unicorn scale, but this is hands down the most unserious, “almost too stupid to be true” of them all. ↫ Sid at 0xsid.com …it’s “AI” isn’t it? All the attacker needs to kick this off is your account username. Then, they hop on a VPN or proxy close to your city so Instagram’s security algorithms don’t suspect a thing. You can quite easily get this from your public profile or “About” section or a hundred other ways. Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control. ↫ Sid at 0xsid.com It’s “AI”. Yes, all that you need to do to gain control over big, massively popular Instagram accounts is ask Facebook’s “AI” to send the verification codes to whatever email address you desire. That’s it. There’s no other steps, no other checks, no other verification. And the worst part is that this isn’t even a hack; this is “AI” working entirely as intended. And these tools are now coding the Linux kernel, LLVM, systemd, PulseAudio, rsync, your browser, and so much more. What could possibly go wrong?