GitHub

Yesterday, many Instagram accounts were apparently hacked, including some well-known as Obama's White House account.

Look, I'm not a spring man. I spent almost one and a half decades identifying weaknesses and exploits in the unicorn scale, but this is undoubtedly the most insane, “almost too stupid to be true” of all.

The takeover flow

Step 01: Detect location and launch support

All that the attacker needs to start this is the user name of your account. Then they use a VPN or a proxy near your city so that the security algorithms of Instagram do not notice anything. (You can easily retrieve this through your public profile, the section “About us” or hundreds of other possibilities.) As soon as it looks as if the request comes from the right region, they share the Metamorphology-Support-KI with that the account has been hacked and ask them to send the confirmation codes to any email address they control. Step 02: That's all

Really, that's it. The first real Zero Auth password reset I saw in production. An additional check as to whether the specified e-mail is actually something that the user has already used does not appear to take place. Once the AI sends the security code to the attacker's e-mail address, the attacker will return it directly to complete the check. The platform provides a new link to reset the password and grants full ownership to the attacker.

The AI of Instagram can ask or not the attacker for a video-selfie for proof of identity. At the moment it is not particularly demanding, so it was widely reported that something as simple as a AI-animated public photo works from the feed of the target.

2FA does not help

If you ask yourself: Since the system treats this highly privileged recovery process as a complete account cancellation by the “true” owner, the original 2FA will be completely bypassed during this process.

Existing sessions are revoked and the password changed without an email, text or push notification. The actual owner cannot initiate recovery because the email address and telephone numbers are now assigned to the attacker. There is no person who can be escalated, one fights only with a conversation partner, hoping to regain control, and at the same time prays that he does not do it again.

And if you belong to the A/B-tested accounts where the AI support option is active, you have bad luck, you can't even disable them.

Black markets in abundance

Several black market telegram groups have emerged that offer “account acceptance” services at high rates and short processing times. Considering that short handles are worth hundreds of thousands to even millions of dollars, this is not a surprise.

Accounts were turned around how hey

or used for propaganda, such as Obama-Whitehouse

or ocmsf

The report of Chief Master Sergeant of the U.S. Space Force.

Now patched

All Telegram groups have calmed down as Meta has apparently already patched it, but it seems that this special method was weeks-- if not for months active.

Only the fact that it lacks a $1.5 billion firm in robust templates and that its supportive AI simply changes the linked email address of everyone if you ask friendly enough, would be so frightening if it were not so funny.

If you have come here, thank you for reading! :)

I thought several exits and retirement with mid-30 would be fun, but I was just bored and depressed without morning slacks and emails I could wake up with. If you could build something interesting and use additional hands for shipping or just want to say “Hello”, you can contact us. My inbox is open.