Meta Fixes Instagram AI Account Recovery Flaw that Allegedly Enabled Account Takeovers

Meta has taken the bull by the horns by fixing the security weakness that many discovered in its AI-powered account recovery workflow for Instagram. In fact, cybersecurity researchers revealed that bad actors could take advantage of this vulnerability to enter into many users’ accounts without their knowledge.

From what many online news report sites shared, this flaw is not inside the core infrastructure of Instagram but in the logic in charge of an AI assistant, the site that the company designed for users to recover their accounts after a lock or compromise.

According to researchers, threat actors found a way to make the chatbot initiate password reset operations and forward the recovery information to them without first checking the user identities.

While Meta didn’t confirm the entire technical details of this particular exploit, reports show that the company made a statement stating it took care of the flaw as soon as the users raised an alarm about it.

Researchers Detail How Bad Actors Exploited the AI Recovery Flaw

Unlike how other cyberattacks take place, the reported flaw was not about breaching Meta’s servers or gaining access to the company’s databases.

Instead, researchers say the vulnerability emerged from within the decision-making procedure of Meta’s AI-powered support assistant. It centered on Instagram’s account recovery mechanism that relies on AI.

Some cybersecurity investigators, including ZachXBT & Dark Web Informer, stated that the hackers focused on Instagram accounts that have popular usernames.

According to what researchers found out, the attackers used VPNs or proxy services to camouflage their connections to seem as if they were coming from the same region where the original account owner resides.

After connecting, the bad actors gave instructions to the Meta AI assistant to add a new email address to that account & create a password reset action.

From what the researchers claimed, the chatbot carried out these requests without careful verification, leading to the recovery emails going directly to the email addresses that the attackers own and control.

Security experts stated that the incident is a typical example of prompt injection, a technique that bad actors use to manipulate AI systems into doing the things they want them to do beyond their original permissions.

Valuable Instagram Accounts Emerged as Key Targets

According to reports from researchers, this particular campaign might actually be targeting  “OG” Instagram accounts, those profiles that have short, unique, & popular usernames that carry high value in the dark web trading circles.

Among some of the accounts that the attack affected were those bearing @hey & @jowo usernames which bad actors view as premium digital assets because they are rare indeed.

Account takeover tools can command high prices on the dark web. A hacker is advertising a Snapchat account takeover kit for $350,000, showing the lucrative market for such exploits.

In the cybersecurity reports about this incident, the bad actors advertised many of the accounts they took hold of on Telegram calling for interested buyers shortly after the successful takeover.

One of the incidents that stood out is the Obama White House Instagram account which has been inactive and dormant since the beginning of 2017.

After the reports that attackers now control the account, a controversial image suddenly appeared on it with a political message that read “The White House is under Shiites’ control” before the owners restored the account.

Apart from that account, the hackers also targeted the Instagram account belonging to cybersecurity researcher Jane Manchun Wong which she revealed herself.

Meta Announced it has Resolved the Issue

Meta made a public statement about the incident after many reports of it hit the internet with discussions riding high across social media & cybersecurity communities.

The company only confirmed that it has fixed the security flaw that allowed bad actors to gain access into people’s Instagram accounts by causing password resets.

Further, Meta emphasized that bad actors didn’t breach the company’s internal systems and maintained that the security on user accounts is still solid.

Despite what Meta said researchers still believe that the users this incident affected will still face some consequences which might be some temporary account disruptions and password resets by bad actors.

Some reports even suggested that the flaw might have stayed very long before Meta finally fixed it, which indicates that many accounts could have fallen into the hands of bad actors before Meta solved the problem.

Recommended Steps for Instagram Users

Based on this incident, experts in cybersecurity advise Instagram users to make the security of their account a strong one by taking some simple actions:

• They must use an “ authenticator app” to handle their two-factor authentication instead of using SMS-based verification only.
• The recovery email addresses should be very private and not the one they show on their social media profiles.
• They must save the codes for account recovery in a secure location that they can easily reach if they lose their login credentials.
• A regular review  of active sessions is important plus revoking access immediately when an unfamiliar device tries to log in.
• The passwords to login into their account must be strong and unique, and storing them in a reliable password management solution is a must.

These practices can help account holders to be free from bad actors who try to access accounts without authorization. Also, users can react and fob off such attempts as soon as they try.