Meta’s AI support assistant has been helping hackers get access to high-profile Instagram accounts.
According to reports on social media, Meta AI would change the email address associated with an Instagram account, allowing the password to be updated and the account to be hijacked.
To add some context, Meta introduced its AI support assistant in December to make it easier for customers to access 24/7 account support. This assistant can be used to report scams, get information on content removal, and reset passwords. That last capability is what scammers used to access accounts.
This vulnerability first appeared on X (formerly Twitter) over the weekend, with some users posting screenshots of demonstrations showing how to exploit it. In one demo, the hacker asked Meta’s new AI support bot to change the linked email address to a randomly generated secure email address, and the bot did it without question.
According to MacRumours, the support bot did not perform robust identity verification and, in some cases, apparently bypassed two-factor authentication entirely. All that was needed was a VPN connection set to a location near the target account — which is ironic, considering that Meta’s blog post on the support agent reads “Our systems recognize the device you usually use and familiar location better than ever.”
If you’re wondering about 2FA and selfie verification, hackers were able to grab a photo from the user’s page and animate it with an AI image generator to fool the verifier.
Now, Meta patched the issue over the weekend, but while it was available, hackers were able to take over accounts such as Obama’s White House account, and a senior US Space Force official’s account.
Meta is now working on “securing impacted accounts.”
Source: MacRumours
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.
