Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access
Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access
黑客通过诱骗 Meta AI 客服聊天机器人获取权限,劫持了多个 Instagram 账号
Instagram has resolved a security issue that allowed several users’ accounts to get hacked. The attack appeared to rely on tricking Meta’s own AI-powered support chatbot into granting access to a victim’s account. Instagram 已经修复了一个导致多名用户账号被黑的安全漏洞。此次攻击似乎是通过诱骗 Meta 自家的 AI 客服聊天机器人,从而获取受害者账号的访问权限。
Over the weekend, several users on Reddit claimed that their Instagram accounts had been compromised, and a number of users on X warned of similar account hijackings. The compromised accounts include the Instagram handle for the Obama-era White House, which appears to have been inactive since 2017; and the account of the U.S. Space Force’s chief master sergeant John Bentivegna. Security researcher Jane Wong said her Instagram account was also taken over. “The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” said Wong. “Quite concerning.” 上周末,Reddit 上的多名用户声称他们的 Instagram 账号被盗,X(原 Twitter)上也有不少用户警告称发生了类似的账号劫持事件。被盗账号包括奥巴马时期的白宫 Instagram 账号(该账号自 2017 年起似乎已处于非活跃状态),以及美国太空军首席军士长约翰·本蒂维尼亚(John Bentivegna)的账号。安全研究员简·黄(Jane Wong)表示,她的 Instagram 账号也被接管了。“我的密码在不知情的情况下被更改了,昨天一整天我都在收到各种密码重置请求,”黄说道,“这非常令人担忧。”
A video posted on X showed the step-by-step process to hack someone’s Instagram account. The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections. Then, the hacker opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot can be seen sending a verification code to the email address provided by the hacker; the hacker then shares the verification code with the chatbot, which prompts the chatbot to show a button to “Reset Password.” The hacker enters a new password and takes over the victim’s account. X 上发布的一段视频展示了黑客入侵他人 Instagram 账号的完整步骤。据称,黑客使用了 VPN 来伪造目标的预设位置,以避免触发 Instagram 的自动账号保护机制。随后,黑客开启了与 Meta AI 客服助手的对话,并要求机器人为目标账号添加一个新的电子邮件地址。视频显示,聊天机器人向黑客提供的邮箱发送了验证码;黑客随后将验证码告知机器人,这促使机器人显示出“重置密码”按钮。黑客输入新密码后,便成功接管了受害者的账号。
TechCrunch was able to verify that the hacker’s public email mailbox, which was displayed in the video, effectively received the verification code. The attack relied on the fact that at no point the hacker had to take over the legitimate email address linked to the victims’ Instagram account. TechCrunch 证实,视频中显示的黑客公共邮箱确实收到了验证码。此次攻击的关键在于,黑客在整个过程中完全不需要控制与受害者 Instagram 账号绑定的合法电子邮箱。
On Monday, Instagram spokesperson Andy Stone said in a reply to Wong’s post and others that the issue was now fixed. It’s unclear how many Instagram users had their accounts improperly accessed. Meta did not immediately respond to TechCrunch’s request for comment. 周一,Instagram 发言人安迪·斯通(Andy Stone)在回复黄及其他用户的帖子时表示,该问题现已修复。目前尚不清楚有多少 Instagram 用户的账号遭到了非法访问。Meta 未能立即回应 TechCrunch 的置评请求。