CybersecurityHacking

Meta's AI Chatbot Exposed to Account Takeover Vulnerability

Analyst 207||Source: Schneier
Smartphone displays chatbot login page on a neutral surface with laptop in background.

"It’s not that easy. Probably this particular tactic is now blocked. But there are others, many others, and they cannot be blocked as a class. The real problem is that LLM chatbots are not trustworthy enough for this application." — from a blog post on Schneier.com

How the takeover was shown to work

A video posted on X demonstrated a step‑by‑step process that purportedly allowed an attacker to take over an Instagram account by interacting with Meta’s AI support chatbot. In the clip the attacker opened a chat with the Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot then sent a verification code to the email address supplied by the attacker; after the attacker supplied that code back to the chatbot, the interface presented a button labeled "Reset Password." The attacker entered a new password and completed the takeover in the recording.

Tools and tactics visible in the clip

The video showed at least two specific tactics. First, the attacker allegedly used a VPN to spoof the target’s presumed location, a step taken, according to the clip, to avoid triggering Instagram’s automated account protections. Second, the attacker relied on the chatbot’s account‑management flow — specifically its willingness to send a verification code to an attacker‑controlled email and then to proceed to a "Reset Password" action after the code was presented.

Meta’s immediate public response

On Monday, Instagram spokesperson Andy Stone replied to Wong’s post and to others saying that "the issue was now fixed." The blog post notes that it remains unclear how many Instagram users, if any beyond the account shown in the video, had their accounts improperly accessed.

Limits of a single fix and the problem LLMs pose

The Schneier.com post argues that while a specific tactic can be blocked, similar vectors will continue to appear. That post states directly that "Probably this particular tactic is now blocked. But there are others, many others, and they cannot be blocked as a class," and that the underlying concern is that large language model (LLM) chatbots are insufficiently trustworthy for account‑recovery or support tasks that materially affect account ownership.

What this means for Instagram users, technologists, and threat actors

  • Instagram users: Some accounts may have been accessed improperly, and the public record in this case says it is "unclear how many Instagram users had their accounts improperly accessed." Users concerned about account security should note that the exploit shown relied on both location spoofing and an interaction with an automated support assistant.
  • Technologists and security teams: The demonstration focuses attention on the intersection of automated support flows and identity recovery. The blog post’s central claim — that particular tactics can be blocked while the class of attacks cannot be entirely closed — frames a design and assurance problem for teams that place LLM‑driven assistants in account‑management paths.
  • Threat actors: The clip illustrates an operational playbook combining VPN location spoofing with social‑engineering‑style manipulation of an automated support chatbot and shows that such chains can produce account takeover if validations in the flow are bypassed.

The incident recorded in the video moves the debate about automation and account control from concept to concrete example: an attacker, a VPN, a chatbot‑mediated verification code, and a "Reset Password" button. Meta’s spokesperson said the immediate issue was fixed, but the blog post’s observation — that similar tactics will continue to surface and that LLM chatbots may not be a trustworthy substrate for account recovery — leaves a specific policy and engineering question on the table.

For platforms that route account‑management actions through automated assistants, the core decision is simple in its outline though hard in execution: accept the convenience and attendant risk, or keep sensitive recovery paths strictly human‑mediated. The evidence in this case shows why that tradeoff is now urgent.

https://www.schneier.com/blog/archives/2026/06/hacking-metas-ai-chatbot.html

Account TakeoverEmerging ThreatsMetaSocial MediaVulnerabilityInstagramLLMAI ChatbotChatbot Security
Related Intelligence

Continue Reading

Windows device on office desk with papers, pen, and notebook nearby.

Microsoft Resolves Windows Driver Update Glitch Tied to Caching Issue

Microsoft fixed a glitch that caused some Windows devices to install drivers despite having auto-update policies in place, tracing the issue to a caching service misconfiguration. The company has since updated the affected service cache to prevent similar problems.

Analyst 207
Locked padlock in foreground, blurred high-tech lab background symbolizing secure encryption.

Proton Fortifies Defenses Against Cybercriminal Exploitation

Proton's end-to-end encryption ensures that even the company itself can't access your message contents or location, creating a fortress of trust and security for its users. This fundamental limit is a deliberate design choice, prioritizing user privacy and protection against cybercriminal exploitation.

Analyst 207
University research setting with computer screen displaying gradient-colored blocks representing vulnerability stages.

AI Models Outpace GPT-5.5 in Chrome Vulnerability Exploits

Meet ExploitBench, a groundbreaking benchmark that puts AI models to the test, pushing them to go beyond mere vulnerability detection and actually exploit real-world flaws - and the results are in. This innovative tool, developed by Bugcrowd and Carnegie Mellon University experts, grades AI models on their ability to chain discoveries into usable exploits, revealing surprising capabilities.

Analyst 207
Two people in formal attire stand in a courtroom with documents on a table and a blurred company emblem in the background.

UK Duo Ordered to Repay £118k for Selling Car Crash Victims' Data

Two former RAC employees have been ordered to repay £118k for selling personal data of car crash victims, a stark reminder that justice can extend far beyond prison sentences. This significant repayment demonstrates the Information Commissioner's Office's commitment to upholding data protection laws.

Analyst 207