Instagram AI Support Exploit Allowed Zero-Auth Account Takeovers
Original: The newest Instagram “exploit” is the goofiest I've seen
Why This Matters
Demonstrates critical flaws in AI-powered support systems at major platforms
A security researcher revealed Instagram's AI support system allowed attackers to take over accounts including Obama White House by simply requesting password resets to arbitrary email addresses, bypassing all authentication checks.
Security researcher Sid documented a critical Instagram vulnerability where attackers could hijack accounts using only usernames. The exploit involved using VPNs to spoof location, then asking Meta's AI support to send verification codes to attacker-controlled emails. The AI required no verification that the email belonged to the account owner. High-profile accounts including Obama White House and US Space Force Chief Master Sergeant were compromised. Even accounts with 2FA were vulnerable as the system treated requests as legitimate owner resets. Black market Telegram groups offered takeover services while the exploit remained active for weeks or months. Meta has since patched the vulnerability.