Yesterday, a slew of Instagram accounts, including some high profile ones like the Obama White House account, seemingly got hacked.
Look, I’m no spring chicken. I’ve spent almost a decade and a half identifying vulnerabilities and exploits at unicorn scale, but this is hands down the most unserious, “almost too stupid to be true” of them all.
↫ Sid at 0xsid.com
…it’s “AI” isn’t it?
All the attacker needs to kick this off is your account username. Then, they hop on a VPN or proxy close to your city so Instagram’s security algorithms don’t suspect a thing. (You can quite easily get this from your public profile or “About” section or a hundred other ways.) Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control.
↫ Sid at 0xsid.com
It’s “AI”.
Yes, all that you need to do to gain control over big, massively popular Instagram accounts is ask Facebook’s “AI” to send the verification codes to whatever email address you desire. That’s it. There’s no other steps, no other checks, no other verification. And the worst part is that this isn’t even a hack; this is “AI” working entirely as intended.
And these tools are now coding the Linux kernel, LLVM, systemd, PulseAudio, rsync, your browser, and so much more. What could possibly go wrong?
To be fair, this is a case of “AI” being helpful, just to the wrong people.