Source : INDIA TODAY NEWS
Meta’s AI was apparently tricked into helping hackers take over high-profile Instagram accounts. The security issue was revealed over the weekend after hackers reportedly gained access to several prominent Instagram accounts, including the Obama-era White House handle, Sephora and the account of a senior US Space Force official.
The issue, which Meta says has now been fixed, allegedly allowed attackers to manipulate the company’s AI-powered support chatbot into sending password reset codes to email addresses under their control. This enabled them to gain access to accounts without compromising the owners’ inboxes or phones.
advertisement
The vulnerability was first brought to public attention by security researchers ZachXBT and Dark Web Informer, who revealed that threat actors had discovered a way to manipulate Instagram’s Meta AI assistant, a tool designed to help users recover access to their accounts. The issue gained wider attention after users on Reddit, X and Telegram began reporting account takeovers.
Among the affected accounts were reportedly the Obama-era White House Instagram handle, beauty retailer Sephora, and the account of US Space Force Chief Master Sergeant John Bentivegna.
How did hackers trick Meta’s AI?
According to videos and demonstrations shared online, the attack did not rely on sophisticated malware or phishing scams. Instead, attackers allegedly exploited Meta’s AI-powered Support Assistant, which is designed to help users recover access to their accounts.
Attackers reportedly first used a VPN to make it appear as though they were logging in from the same geographic region as the targeted account, potentially helping them avoid triggering Instagram’s automated security systems. They then visited Instagram’s login page, selected the “Forgot Password” option and opened a conversation with the Meta AI Support Assistant through the “Get Support” feature.
From there, hackers reportedly used carefully crafted prompts to convince the chatbot to add a new email address to the victim’s account. Once the AI assistant accepted the request, it sent a verification code to the attacker-controlled email address rather than the legitimate account owner.
After entering the verification code into the chatbot, attackers were allegedly presented with a password reset option. This allowed them to create a new password and gain control of the account without needing access to the victim’s actual email inbox or phone number.
In one reported variation of the exploit, attackers simply instructed the chatbot to send password reset codes directly to their own email addresses. If successful, they could use the received code to complete the takeover process.
According to a report by TechCrunch, the publication independently verified part of the attack by confirming that a public email address shown in one of the demonstration videos did receive a verification code from Instagram. However, the report also suggested that the exploit did not always work on the first attempt, with attackers sometimes needing to repeat the process before the chatbot complied.
The incident has also raised questions about the effectiveness of two-factor authentication (2FA) against the exploit. While some users claimed that 2FA-protected accounts could not be compromised using the method, others reported losing access despite having additional security measures enabled. As a result, it remains unclear exactly how the vulnerability interacted with Instagram’s authentication systems.
Instagram says the issue has now been fixed. Meta spokesperson Andy Stone confirmed on Monday that the vulnerability had been resolved, while the company said it is actively securing affected accounts.
However, Meta has not disclosed how many users were impacted. Even after the company announced the fix, some affected users said they were still struggling to regain access to their accounts.
– Ends
SOURCE :- TIMES OF INDIA
