Tell HN: Meta's AI support feature allows Instagram accounts to be stolen

  • Posted 2 hours ago by parable
  • 9 points
If the AI support option is enabled for your Instagram account (it appears to be A/B tested for only a percentage of accounts), anyone can hijack it with little effort. Simply get on a proxy or VPN close to the account's region, then ask the agent to send a code to an arbitrary email address. Once you receive the code, pass it forward to the agent, and it'll provide you with a password reset link which you can then use to sign into the account.

Posting here for any Meta employees who may be reading. This flaw has been around for at least a few days and has been used to hijack over 100 high-value Instagram accounts. The correct patch would be to disable the AI support feature entirely for the time being until this is sorted and revert accounts and usernames that have been hijacked over the last few days. This is a pretty important flaw and it's currently being exploited in blackhat circles. The steps above are public knowledge in these circles and can be found trivially on Telegram.

Edit: I wouldn't be surprised if this was never acknowledged by Meta. Several months ago in February, there was an exploit that allowed anyone to view the email address and phone number on file for any Instagram account. No acknowledgement from Meta. IMO they should've filed an SEC 8-K for an issue like that.

2 comments

    Loading..
    Loading..