Several Instagram users had their accounts hijacked after attackers tricked Meta's AI-powered support tools into believing they were the rightful owners.
Many of those affected have been unable to regain access because Meta's automated support relies on AI chatbots that loop without offering a way to escalate to a human agent.
The attacks, which began being reported on Monday, targeted rare and high-value accounts. Among the affected accounts reportedly were one previously used by the Obama White House team, one belonging to app researcher Jane Manchun Wong, and the accounts @hey and @korn.
Some users said their identities had been verified through facial scans and that they had two-factor authentication enabled, yet they still lost access.
How Attackers Tricked Meta’s AI Support Into Handing Over Instagram Accounts
Multiple reports indicate that the takeover process was straightforward:
- The attacker begins by activating the "forgot password" feature, claiming the account was hacked.
- When Instagram's AI assistant requests a selfie for verification, the attacker uploads a photo taken from the target's public account.
- This photo is then processed through an AI video generator to create an animation.
- The animated video is uploaded to Meta and is accepted as a valid identity verification. Once verified, the attacker changes the associated email address.
- With the email updated, they initiate a password reset and receive the security code needed to take full control of the account.
User André mentioned that "Meta's AI just accepts it because it can't tell the difference between a real selfie and an AI-generated video of someone's face," adding that this method bypasses two-factor authentication.
Some reports also indicate that attackers used VPN services to appear as though they were connecting from the target's usual region, passing geolocation checks that would normally trigger a more secure login process.
A common complaint is the difficulty of reaching a human support agent during recovery. The owner of the @korn account said they spent six hours trying to contact support and received four broken links from Meta's support AI.
"We're at the point where one AI stole it, and another can't fix it, with no humans involved," the account owner said. André shared a similar experience: "You're talking to a chatbot that has no ability to help. You can't escalate to a human. You're just stuck."
Why Rare Instagram Accounts Are Targeted and How Meta Is Responding
Rare accounts, including single-letter usernames, have a high black market value, often reaching tens of thousands of dollars. Some reports say that the single-letter @e and @f accounts were obtained through an active exploit, while others suggest those usernames were secured by someone with internal access. BleepingComputer noted that it could not independently verify either claim.
Meta has not issued an official statement. The company's vice president of communications, Andy Stone, responded to a user on social media, saying that the issue has been resolved and that they are securing the affected accounts.
BleepingComputer reached out to Meta for comment but had not received a response at the time of publication.
What Instagram Users Can Do to Reduce Their Risk
The attack takes advantage of Meta's verification and recovery systems rather than a vulnerability on the user's device, which limits what individuals can do to completely prevent it. However, users can take steps to reduce their risk and improve their chances of recovery:
- Limit the number of public-facing profile photos that clearly show your face, as attackers use these images to create verification videos.
- Keep your account recovery contact details, such as email and phone number, current and protected with strong, unique passwords.
- Enable two-factor authentication, though it’s worth noting that this attack reportedly bypassed it. Still, two-factor authentication provides additional security against more common credential-based attacks.
- Document proof of account ownership, like your original signup email and creation date, in case manual recovery becomes necessary.
- Watch for unexpected notifications about password resets or email changes and act promptly if you see anything unusual.
The main vulnerability lies in Meta's AI-driven verification process, which accepts AI-generated face videos. Until Meta improves this aspect of their verification system, users with high-value accounts remain at higher risk.
Meta has said that the specific incidents have been resolved but has not provided details on any changes made to prevent similar AI verification bypasses from happening again.
Thank you for being a Ghacks reader. The post Instagram Accounts Hijacked by Tricking Meta AI Support Into Verifying Attackers as Owners appeared first on gHacks.
☞ El artículo completo original de Arthur Kay lo puedes ver aquí
No hay comentarios.:
Publicar un comentario