The Meta AI Instagram Hack Wasn't About Authentication. It Was About Authorization. - Cybersecurity Insiders

Facebook

Linkedin

News

Cyber Attack

Data Breach

Identity Fraud

Insider Threat

Malware

Phishing

Quantum

Ransomware

Social Engineering

Supply Chain Security

Vulnerability

RESEARCH

RESEARCH LIBRARY

SPONSOR RESEARCH

PUBLISH WITH US

Webinars

Awards

MARKETING

CONTACT US

JOIN

Search

Facebook

Linkedin

Log In

Contact Us

Partner with Us

Sign in

Welcome! Log into your account

your username

your password

Forgot your password? Get help

Password recovery

Recover your password

your email

A password will be e-mailed to you.

Cybersecurity Insiders

Strategic Insight for Cybersecurity Leaders<br>News

AllCyber AttackData BreachIdentity FraudInsider ThreatMalwarePhishingQuantumRansomwareSocial EngineeringSupply Chain SecurityVulnerability

Cyber Attack

US Government to use Anthropic Mythos to launch Cyber Attacks

Cyber Attack

Carnival Corporation Data Breach Leads June Wave of Account-Compromise Incidents

Malware

How Server Farms can shield customers from Malware Attacks

Data Breach

Carnival Data Breach Potentially Impacts 6 Million Cruisers

RESEARCH

RESEARCH LIBRARY

SPONSOR RESEARCH

PUBLISH WITH US

Webinars

Awards

MARKETING

CONTACT US

JOIN

TOPICS:ZERO TRUST

SASE

RANSOMWARE

AI SECURITY

INSIDER THREAT

QUANTUM

OT/IoT

SUPPLY CHAIN

CLOUD

>>

SECURITY PRACTICES & DOMAINS<br>AI Security

When attackers hijacked Instagram accounts early June by tricking Meta’s AI support chatbot, most of the coverage focused on the breach itself. But this incident is a great illustration of a broader and more critical problem: the security industry has invested heavily in controlling what AI says, while largely ignoring what AI is authorized to do.

Meta’s bot verified nothing about who was asking. It just helpfully did what it was told to do — up to and including sending the attacker a confirmation code to make sure a new email address was valid. Until we start applying more mature authorization frameworks to AI agents, we’ll have more incidents like this.

What Actually Happened

The attack itself was straightforward. The attacker spoofed the location of the victim using a VPN, which circumvented certain protections that would have triggered if the attacker’s location was far from the victim’s. The attacker then asked an experimental Meta chatbot to add a new email address to the account. The chatbot emailed verification codes to confirm the new address was valid. It was trying to be helpful! The attacker verified the new email address, was presented with an opportunity to reset the password, and thus gained control of the account.

Most attacks are not one simple hole that can be patched. They string together vulnerabilities to escalate privileges or take over valuable accounts. Based on the attack details that have been publicly shared from this incident, the failures in this vulnerability chain included: relying on IP location to determine if additional security measures are taken; allowing a chatbot to modify a user’s primary email; requiring verification codes only from the new email address and not the old; and treating those verification codes as enough to allow for a password reset, which the chatbot facilitated. Guardrails around any of these would have stopped this version of the attack.

Authentication vs. Authorization — and Why It Matters for AI

Authentication is who someone is. Authorization is what they can do. Authentication is a comparatively better understood issue with AI agents, but authorization decisions reach deep into the bowels of applications and are usually business-model specific. They were often designed either for software designed by humans or slow-moving humans. AI agents combine the speed of software with the innovation of humans, finding edge cases and holes at scale.

Even with perfect authentication, the deeper failure in the Meta incident is that the agent was authorized to perform account-takeover-equivalent actions. And that’s the part the industry is underinvesting in.

Why AI Projects Are Especially Prone to This

Stapling an AI chatbot into a support system didn’t introduce a new class of vulnerability. But it makes such holes more likely to exist, because the efforts to make an AI project successful biases systems toward over-permissioning.

The larger problem is that we’re exposing services, functionality, and APIs to AI agents without properly addressing the actual helpfulness of them, nor how attackers can leverage them to find and exploit existing holes. In this case, Meta wanted the chatbot to be helpful and useful, which requires access. But they gave too much access.

This pattern is already showing up elsewhere. In 2024, an AI agent was tricked by users into sending $47,000 in crypto even though it was explicitly instructed not to. A Lenovo chatbot was manipulated into exposing session cookies based on a crafted product query —...