告诉 HN:Meta 的 AI 支持功能允许 Instagram 帐户被盗
8 分•作者: parable•大约 1 个月前
如果你的 Instagram 账号启用了 AI 支持选项(似乎仅对部分账号进行了 A/B 测试),那么任何人都可以毫不费力地劫持它。只需通过代理或 VPN 连接到账号所在地区,然后让 AI 助手向任意邮箱发送验证码。一旦你收到验证码,将其提供给 AI 助手,它就会给你一个密码重置链接,你就可以用它登录该账号了。
在此向可能正在阅读的 Meta 员工发布此信息。这个漏洞已经存在至少几天了,并且已被用于劫持超过 100 个高价值的 Instagram 账号。正确的修复方法是暂时完全禁用 AI 支持功能,直到问题解决,并恢复过去几天被劫持的账号和用户名。这是一个非常重要的漏洞,目前正在被黑产圈子利用。上述步骤在这些圈子里是公开的,并且很容易在 Telegram 上找到。
查看原文
If the AI support option is enabled for your Instagram account (it appears to be A/B tested for only a percentage of accounts), anyone can hijack it with little effort. Simply get on a proxy or VPN close to the account's region, then ask the agent to send a code to an arbitrary email address. Once you receive the code, pass it forward to the agent, and it'll provide you with a password reset link which you can then use to sign into the account.<p>Posting here for any Meta employees who may be reading. This flaw has been around for at least a few days and has been used to hijack over 100 high-value Instagram accounts. The correct patch would be to disable the AI support feature entirely for the time being until this is sorted and revert accounts and usernames that have been hijacked over the last few days. This is a pretty important flaw and it's currently being exploited in blackhat circles. The steps above are public knowledge in these circles and can be found trivially on Telegram.