Instagram resolves security flaw exploited via Meta AI support chatbot
Security researcher Jane Wong and high-profile targets were affected by the exploit, which bypassed traditional email verification by spoofing location data.
Instagram has confirmed the resolution of a security vulnerability that allowed hackers to hijack user accounts over the weekend by manipulating Meta’s AI-powered support chatbot. The exploit enabled attackers to bypass standard authentication protocols, compromising several high-profile and personal accounts before the issue was patched on Monday.
The attack vector relied on social engineering the Meta AI Support Assistant to perform administrative actions typically restricted to verified users. According to a video demonstration posted on X, hackers used a virtual private network to spoof the victim’s geographic location, thereby avoiding triggers in Instagram’s automated account protection systems.
Once the location appeared legitimate, the attacker initiated a chat with the support bot and requested the addition of a new email address. The chatbot subsequently sent a verification code to the hacker-provided email, which the attacker entered to authenticate the change. This process prompted a "Reset Password" function, allowing the hacker to set a new credential and take full control of the account without access to the victim’s original linked email.
TechCrunch verified the mechanics of the attack by confirming that a public email mailbox displayed in the video received the verification code. The exploit highlighted a significant gap in the support workflow, as it allowed password resets to unlinked addresses without requiring multi-factor authentication or proof of ownership of the original contact method.
Several notable accounts were reportedly compromised during the incident. Targets included the Instagram handle for the Obama-era White House, which has been inactive since 2017, and the account of U.S. Space Force Chief Master Sergeant John Bentinvegna. Security researcher Jane Wong also reported her account was taken over, noting that her password was changed without her knowledge and she received multiple reset attempts.
Instagram spokesperson Andy Stone confirmed the fix in response to Wong’s social media posts, stating the security issue was resolved. However, the total number of users affected by this specific vulnerability remains unknown, as Meta did not provide specific figures. The company did not immediately respond to further requests for comment regarding the technical details of the flaw.
