Hackers managed to trick Meta’s AI-powered support bot into allowing them to take over a number of Instagram accounts, including some high-profile ones. This included accounts belonging to the White House, US Space Force, and security researcher Jane Wong.
Update: Meta has now revealed that around 20,000 accounts were compromised and has explained the steps it has taken in response …
In one of those “you can’t make it up” moments, hackers managed to fool Meta’s AI support chatbot into allowing them to conduct password resets on other people’s Instagram accounts. The attack method was childishly simple.
- They began a password reset process
- When asked to choose a method, they selected Meta AI Support Assistant
- They asked the chatbot to add a new email address to the account
- It did so without question, despite them not being logged-in to that account
- The chatbot sent a code to the new email address
- They used that code to change the password
- This process also logged out the account owner on all of their devices
Dark Web Informer posted a video of the exploit in action.
TechCrunch reports that victims included some high-profile Instagram accounts.
The compromised accounts include the Instagram handle for the Obama-era White House, which appears to have been inactive since 2017; and the account of the U.S. Space Force’s chief master sergeant John Bentivegna. Security researcher Jane Wong said her Instagram account was also taken over.
Around 20,000 accounts compromised
SecurityWeek reports that Meta has now revealed that around 20,225 Instagram accounts were compromised. A small number of these may have been genuine user requests, but the overwhelming majority will have been hacks.
The attackers could have obtained profile information, email addresses, phone numbers, dates of birth, direct messages, social media posts, and information on account activity and interaction history.
The social media giant has disabled the abused tool and will re-enable it only after ensuring that the vulnerability has been fixed. The password reset links generated by exploiting the vulnerability have been invalidated. In addition, affected accounts have been enrolled in a mandatory security checkpoint and their passwords have been reset.
Meta has notified owners of affected accounts.
FTC: We use income earning auto affiliate links. More.
Click Here For The Original Source.
