%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
The photo-sharing platform Instagram has recently urgently fixed a major security vulnerability. Previously, multiple users' accounts were illegally hacked due to this vulnerability, and the core method used by hackers was tricking Meta's in-house AI customer service chatbot to easily gain control of victims' accounts.
High-profile and official accounts fell victim
Last weekend, many social media users reported that their Instagram accounts had been stolen. The victims included not only ordinary users, but also the official White House account from the Obama administration and the personal account of the Chief Master Sergeant of the U.S. Space Force, raising widespread concerns about the security of AI customer service.
Safety researcher Jane Huang was also one of the victims of this incident. She revealed that her login password was changed without any warning, and she received multiple requests for password resets from different locations on the same day, making the entire hacking process very alarming for users.
No need to break into user email accounts
According to a hacker operation video that spread online, the intrusion process of this vulnerability was highly deceptive. Hackers first used a virtual network to fake the target user's location, successfully bypassing the platform's automated risk control system, and then directly connected to Meta's AI customer service assistant.
In the conversation, the hacker tricked the AI customer service into binding a new email address to the target account. After the AI customer service sent a verification code to the new email and received the response from the hacker, it immediately displayed a password reset button, allowing the hacker to take over the account without ever breaking into the original email address bound to the victim.
Platform responds that the vulnerability has been fixed
Regarding this extremely serious AI logic vulnerability, an Instagram spokesperson later made a statement. Spokesperson Andy Stone said that the relevant security vulnerability has now been completely fixed, and the platform has resumed normal security controls.
However, the official did not disclose how many users were illegally hacked in this incident. Cybersecurity experts have warned that while AI customer service improves service efficiency, its permission verification logic still needs stricter supervision and review.