Hackers abused a logic flaw in Meta’s AI-powered account recovery assistant to hijack multiple high-profile Instagram accounts by linking attacker-controlled email addresses. The campaign bypassed fraud defenses and even 2FA in some cases, affecting accounts such as the Obama White House, Sephora, and John Bentivegna before Meta fixed the issue. #Meta #Instagram #ObamaWhiteHouse #Sephora #JohnBentivegna
Keypoints
- Attackers exploited a confused deputy flaw in Meta’s AI account recovery assistant.
- The chatbot linked victim accounts to attacker-controlled email addresses.
- VPNs were used to appear in the same geographic location as the targets.
- Some attackers used AI-edited selfies to bypass account ownership checks.
- High-profile accounts were compromised, sold on the dark web, and the issue has now been fixed.
Read More: https://www.securityweek.com/meta-ai-hands-over-high-profile-instagram-accounts-to-hackers/