Meta AI Chatbot Exploited for Instagram Account Takeover
🟠High | Source: Schneier on Security Attackers are exploiting Meta’s AI support chatbot to hijack Instagram accounts by tricking the bot into adding a hacker-controlled email address and issuing a password reset. The attack requires no prior account access and bypasses Instagram’s automated protections using a VPN to spoof the victim’s location. This demonstrates a critical flaw in how AI-powered support systems validate identity before performing sensitive account actions. Architect’s Take: Organisations deploying AI chatbots for customer support or account management must enforce out-of-band identity verification for any privileged actions — such as adding credentials or triggering resets — and ensure the AI cannot be the sole authorisation path for account takeover-enabling operations. Review your own AI assistant integrations for similar trust boundary weaknesses where bot-initiated actions bypass human or MFA controls. ...