告诉HN:Meta的AI支持功能使Instagram账户容易被盗。
如果您的Instagram账户启用了AI支持选项(目前似乎仅对部分账户进行A/B测试),那么任何人都可以轻松劫持该账户。只需使用靠近该账户所在地区的代理或VPN,然后要求代理将验证码发送到任意电子邮件地址。一旦收到验证码,将其转发给代理,代理就会提供一个密码重置链接,您可以使用该链接登录账户。
在这里发布是为了让可能正在阅读的Meta员工知晓。这个漏洞已经存在至少几天,并且已经被用来劫持超过100个高价值的Instagram账户。正确的修复措施是暂时完全禁用AI支持功能,直到问题解决,并恢复在过去几天内被劫持的账户和用户名。这个漏洞相当严重,目前在黑客圈中被广泛利用。上述步骤在这些圈子里是公开的知识,可以在Telegram上轻松找到。
查看原文
If the AI support option is enabled for your Instagram account (it appears to be A/B tested for only a percentage of accounts), anyone can hijack it with little effort. Simply get on a proxy or VPN close to the account's region, then ask the agent to send a code to an arbitrary email address. Once you receive the code, pass it forward to the agent, and it'll provide you with a password reset link which you can then use to sign into the account.<p>Posting here for any Meta employees who may be reading. This flaw has been around for at least a few days and has been used to hijack over 100 high-value Instagram accounts. The correct patch would be to disable the AI support feature entirely for the time being until this is sorted and revert accounts and usernames that have been hijacked over the last few days. This is a pretty important flaw and it's currently being exploited in blackhat circles. The steps above are public knowledge in these circles and can be found trivially on Telegram.