Instagram, Facebook and WhatsApp owner Meta has fixed a critical security flaw in its AI-powered support assistant that enabled attackers to circumvent security measures and hijack high-traffic Instagram accounts, as revealed by News. According to reports in Az, Anadolu said.
“This has been addressed and impacted accounts are being secured,” said a Meta communications official, named Andy Stone, on the US social media giant’s X platform on Tuesday.
The critical vulnerability, which spread via Telegram channels before going on the public hackers forum X, allowed bad guys to hijack accounts without having access to the victim’s email or their phone number.
Former US President Barack Obama’s White House Instagram page also got hacked, TMZ entertainment news reported on 1st June. The breach was revealed on Sunday because of the unusual posts on the account.
The hack was said to involve attackers setting up a virtual private network to pretend to be in the same geographic region as the targeted user and thus evade automatic regional protection measures.
The next step the attacker would take is to activate a password reset option that would open a chat window with Meta AI Support Assistant, a new feature introduced across the globe earlier this year to automate account recovery and technical support.
The hacker is said to have directed the automated system to update the e-mail address associated with the hacked account with the hacker’s own email address, which caused the chatbot to send an eight-digit verification code to the hacker.
The system sent a password reset link to the chat interface, which the attacker could use to create a new password and prevent the original account holder from resetting their password.
Among the high-profile accounts allegedly compromised over the weekend were the inactive Barack Obama White House account, a global beauty retailer Sephora and the personal account of the US Space Force’s Chief Master Sergeant John Bentivegna.
The now-decommissioned Obama White House email, which was inactive since 2017, was temporarily hijacked with pro-Iranian images and messages before Meta stepped in.
