GitHub

The AI support staff of Metamorphology ordered recovery emails to the accounts of the respective user, and the SOCs never received a warning. An authorized agent writes a protocol of legitimate transactions so that nothing is triggered in the detection stack. Attackers asked the bot to make the change, took the one-time code he sent and passed the resetting of the password, reported 404 Media. No malware, no stolen access data and no immediate injection in the sense of most security teams. The agent did exactly what Meta developed for. This is what a security manager should keep up at night: The takeover has not broken control; it rode on one already familiar. What a SOC needs is a way to go through every recovery path with its AI build team through a test grid before the next renewal is completed. The AI Authority Audit Grid at the end of this article forms any authentication process that a support employee can perform on the recovery path, which Meta's incident has proven to each individual, why it remains dark for the SOC and the control it closes. The agent is an authorized actor, so the SOC evaluates the takeover as routine traffic

The attack generated no signal from the inside of the detection stack that the stack could read. The agent binds a new e-mail, then resets the password, and writes both logs for identity and access management as an authorized file, so that both land as a legitimate transaction in the authentication status. No anomalous application, no spike in failed authentication, nothing for EDR or DLP, no suitable SIEM rule, since nothing in the sequence looks like an attack. The acquisition took place within the confidence limit which the stack considers to be safe. There's no stop, because the agent was the stop, and he should be there. The chain was almost insulting in its simplicity. Brian Krebs documented the version that pro-Iranian hackers had posted on Telegram on May 31st. The attacker turned on a VPN to show up in the victim’s region, bypassing Instagram’s site alarms and then asking support assistants to add a new email and send a confirmation code as confirmed by BBC on the basis of the same records. The bot responded to this request and sent the one-time code directly to the attacker, reported Gizmodo. The reset was completed and the owner was locked out within minutes. According to cancer, the exploit failed at any account with activated MFA. The chewed accounts were not soft goals. Among them were Sephora, the commander of the U.S. Space Force, Chief Master Sergeant John Bentivegna, the researcher Jane Manchun Wong and an inactive Obama name from the White House, who, according to 404 Media, briefly published an unreadable picture. According to TechCrunch, Meta denies the Obama account and calls allegations that the accounts were hacked by leaders, according to BBC, “completely wrong”. The rest is held. The recovery path next to it did not work. The detail that decided who survived was tight. Cancer reported that the attack against each account with multifactor authentication failed, even against SMS. The recovery path next to it was the gap. When this path asked for a selfie video, the attackers let the public photos of the target run through an AI video generator and handed the clip that accepted meta as a valid identity confirmation, gHacks reported. In both cases, the error was at the recovery door and not at the MFA guards of the registration door. This makes it an architectural problem and not a meta problem. MFA blocks the login path for both owners and attackers, but the recovery path that is designed to simplify the usual checks, as it exists for the moment a user has lost the normal access path. Meta has set an agent on this path that has write access to the authentication status and has no deterministic examination between a convincing request and a specified change. Authorization cannot live within the model, as a conversation system can be persuaded to skip a check. It must live outside the model, in a gate the agent cannot come by. Security researchers have a name for this pattern: the confused deputy, a trusted system that is tempted to issue his privileges in the name of an attacker. This is not the last support worker who transfers an account. Ian Goldin, a threat researcher at the Black Lotus Labs of Lumen, said to Krebs on Security that AI bots are as easy to socialize as the human agents that replace them, and that they are just as helpful. “KI chatbots create interesting new attack areas, and we will probably see a lot more of this kind of attack,” said Goldin. Each company that integrates an agent into a recovery, provision or password flow provides the same write access as Meta. Simon Willison, who coined the term “prompt injection”, clearly expressed it in his blog. “Meta has actually connected its support system to an AI chatbot that could quickly advance the entire account recovery process,” he wrote. “This case is hardly an immediate infection. Do not switch your support tray to allow one-time account transfer.” The attacker never tricked the agent. The attacker asked, and at the same time the agent had untrustworthy inputs, write access and a way to execute. OWASP named this class before Meta delivered it as Excessive Agency LLM06 and Identity and Privilege Abuse at ASI03 in the Agentic AI Top 10. The warning was on the packaging: According to 404 Media, Meta introduced the wizard in March into each Facebook and Instagram account, with the ability to reset passwords and perform recovery, with the product page under the “Account Security” line “Solutions, Not Only Proposals” promises and recovery.” Meta gave the agent the power and never built the gate to rule it. The AI Authority Audit Grid

Safety managers must do this with their own support staff before completing the next renewal. Each line is an authentication process that the agent performs on the recovery path, with what Meta has proven, why your stack overlooks it and the control that closes it. Write authentication | What Meta has proven | Why Your Stack overlooks it | Enterprise Control and Owner |

Applicant authentication (MFA, factor input requests) | Is held during login. Accounts with activated MFA, even SMS, survived (cancers). The gap was next to the recovery path. | MFA blocks the registration path for both owners and attackers. The next recovery path is not blocked. | Force MFA as a base and expand the step-up verification to the recovery path that receives the same default application (OWASP). A selfie video is not a proof of identity. Any agent working on a path that does not cover MFA does not exist. Owner: IAM. |

E-mail new binding | Full takeover. The agent has forwarded controlled emails on request from attackers, using Sephora and a U.S. Space Force account (404 Media). | IAM logs the agent as an authorized player, so that the re-binding is interpreted as a legitimate transaction and no warning reaches the SOC or the account holder. | Confirm the out-of-band connection to the existing verified contact before performing rebind commits outside the model and notify the old address as soon as it changes (IBM). An agent that creates a new bond without confirming the old address fails. Owner: IAM and platform engineering. |

Reset password | Full takeover in minutes. One of the affected accounts was the researcher Jane Manchun Wong (404 Media). | The resetting is performed on the recovery path outside the MFA registration check, so that no factor input request is triggered and no recognition rule is triggered. | Require a second non-email factor before a reset is completed. NIST has set email as a valid out-of-band channel (NIST 800-63B). An agent reset must delete the same gate as a human reset. Owner: IAM. |

Change of recovery method | Permanent blocking. The victims couldn't recover themselves. The support loop only offered AI without human escalation (BleepingComputer). | By a silent exchange of the e-mail address or the phone for recovery, the re-entry path of the owner without SOC visibility is eliminated. | Request a comprehensive review during each change, notify the previous method and grant time-delayed access to a limited extent after recovery so that a swap never gives immediate control (authentic signal). Hold a human escalation path that the agent cannot close. Owner: GRC and IT company. |

Performance of account actions | Speed risk. A restful name of Obama's White House briefly showed an unmistakable image during the amoc running, a report that denies meta was taken over in this way (TechCrunch). | The agent performs irreversible state changes in a matter of seconds without a person being in the loop and no reversibility window being present. | Separate the decision from the execution. The agent only suggests the action. A policy service validates scope and approval before it is executed, whereby approval is bound to the exact action (OWASP). Without this gate and a reversibility window, there are no write commands in the authentication status. Owners: platform technology and the AI building team. |

Logging of agent actions | detection gap. The takeover left no warning and Meta has not published how many accounts were lost before the patch (TechCrunch). | Without telemetry per action forwarded to the SIEM, a takeover by authorized agents for the SOC is invisible. | Specify structured decision metadata for each authentication status writing process into the SIEM: Action class, Authorization result, Approval ID, Result, Policy version (OWASP). A writing process that your SIEM cannot see is a writing process that you cannot defend. Owner: SOC and detection technology. |

The fix does not insert any further MFA input task into the log screen. The people who survived Meta's incident were those who already had this control. The solution is to remove the authorization from the honorary system of the recovery path and to put it behind a gate that does not move, just because a request sounds convincing. Create the agent in such a way that the SOC sees each write process he performs and that any write process that changes the owner of an account cannot be specified without an exam that is not controlled by the model. Meta has just shown what happens when the most trusted employee in the team is the one who holds the key in the hand. The next agent like this already reads your intellectual property and financial data.