A significant security vulnerability in Meta’s AI-driven recovery system on Instagram has been uncovered, allowing unauthorized access to high-value accounts. The flaw, which involved bypassing verification procedures, was initially brought to light by security researchers ZachXBT and Dark Web Informer.
Vulnerability Details and Method of Exploitation
The exploit involved manipulating Instagram’s Meta AI assistant, a tool intended for helping users regain account access. Attackers managed to trick the chatbot into sending password reset codes to unverified individuals, effectively bypassing identity checks. This vulnerability was rooted in the AI’s logic layer, which did not adequately authenticate requests before processing them.
Unlike traditional server breaches, this flaw did not involve any compromise of Meta’s backend systems. Instead, it highlighted deficiencies in the AI’s controls, allowing anyone with a target’s username to initiate unauthorized account takeovers.
Impact on High-Value Accounts
Targeted attacks focused on premium, short-handle Instagram accounts, such as @hey and @jowo, which are highly sought after in underground markets. These accounts, collectively valued at over $1 million, were rapidly sold through private Telegram channels before Meta could intervene.
The swift nature of these transactions underscores the organized and financially driven motives of threat actors exploiting such vulnerabilities. Dark Web Informer tracked the real-time circulation of stolen accounts within Telegram groups, reflecting an emerging trend in account-takeover services.
Meta’s Response and Future Implications
In response to the exposure of this vulnerability, Meta promptly patched the flaw. A statement from the company assured that no system breach had occurred and that Instagram accounts remained secure. However, the incident has raised critical concerns regarding the security framework of AI-assisted support tools and their role in account recovery processes.
Despite the patch, experts emphasize the importance of strengthening security measures. Accounts protected by two-factor authentication (2FA) were not affected by this incident. It is strongly advised to enable app-based 2FA, use a private email address, avoid password reuse, regularly check login activity, and securely store backup codes.
Meta’s swift response highlights the need for enhanced security protocols as AI tools gain more control over account management. The potential for social engineering exploits necessitates stricter safeguards to protect sensitive account functions.
