Instagram resolved a security vulnerability that allowed attackers to hack accounts by tricking Meta’s AI-powered support chatbot into granting access. The exploit involved spoofing the victim’s location with a VPN, chatting with Meta AI Support Assistant to add a hacker-controlled email, receiving a verification code, and then having the chatbot display a “Reset Password” button to take over the account.
High-Profile Accounts Compromised
Compromised accounts included the Obama-era White House Instagram handle, inactive since 2017, and U.S. Space Force chief master sergeant John Bentivegna’s account. Security researcher Jane Wong also reported her account was taken over, with her password changed without knowledge and multiple reset attempts received.
How The Attack Worked
The hacker never needed to compromise the victim’s legitimate email. Instead, the chatbot sent a verification code to the hacker’s public email, which the hacker then shared back with the chatbot to trigger password reset. TechCrunch verified the hacker’s mailbox received the code, confirming the attack chain.
Instagram’s Response And Unknown Scope
Instagram spokesperson Andy Stone said the issue was fixed on Monday, but it’s unclear how many users were improperly accessed. The attack relied on the chatbot’s ability to add new emails and reset passwords without verifying control of the original email linked to the account.
Featured image credits: Negative Space
For more stories like it, click the +Follow button at the top of this page to follow us.