Meta Fixes Instagram Vulnerability Following Reports of Account Takeovers
A Flaw in Meta’s AI-Powered Instagram Recovery Tool Allowed Attackers to Hijack High-Value Accounts
A recently discovered vulnerability in Meta’s AI-powered account recovery tool on Instagram allowed attackers to manipulate the chatbot into sending password reset codes to unauthorized parties without proper identity verification.
The Vulnerability Exposed a Serious Flaw in the Platform’s Support Architecture
The weakness in the AI assistant’s decision-making logic allowed attackers to engage the chatbot in conversation and prompt it to send password reset codes to unauthorized parties. The vulnerability stemmed from insufficient controls in the logic layer, including the absence of proper rate limiting or authentication enforcement before reset requests were processed.
Attackers focused on premium short-handle accounts with substantial value on the underground market, indicating a financially motivated operation designed to quickly convert access into profit. Among the targeted usernames were @hey and @jowo, valued at more than $1 million, which were quickly sold through private Telegram channels before Meta could respond.
Experts Warn of Wider Risks Associated with AI-Assisted Support Tools
Even after the patch, experts warned of wider risks associated with the security architecture surrounding AI-assisted support tools and their access to privileged recovery functions. The accounts secured with two-factor authentication were not affected during the attack, underscoring the importance of stronger user-side protections.
As AI tools gain deeper access to account management functions, their susceptibility to social engineering could become a critical and underestimated attack vector.
About Author
English