A severe security vulnerability in Meta's support chatbot allowed attackers to hijack Instagram accounts without any interaction from the victim. By using a VPN to spoof the target's geographic location and bypass automated defenses, hackers could initiate a conversation with the AI support tool to request a new email address be added to the account. This flaw essentially turned the support automated system into a tool for unauthorized access.
The exploit followed a specific sequence that bypassed traditional security protocols: attackers would provide a new email, receive a verification code at that address, and then feed that code back to the chatbot. Once verified, the AI granted the power to reset the password and seize complete control of the profile. High-profile accounts, including an Obama-era White House page, were caught in the crosshairs of this vulnerability.
- Exploit Method: Location spoofing via VPN and social engineering of the AI bot.
- Result: Full account takeover by changing recovery emails and resetting passwords.
- Current Status: Meta has officially patched the bug, though the total number of compromised users remains unknown.
