Mastodawn

New, by me: Meta has filed a data breach notice confirming that *thousands* of people had their Instagram accounts hacked as part of a months-long campaign abusing its Meta AI chatbot.

Meta's breach notice shows the hacks were far more widespread than first thought.

More: https://this.weekinsecurity.com/meta-confirms-thousands-of-instagram-accounts-were-hacked-by-abusing-its-ai-chatbot/

Meta confirms thousands of Instagram accounts were hacked by abusing its AI chatbot

Meta fixed the bug that let anyone trick its Meta AI chatbot into resetting the password on Instagram accounts that didn't have two-factor authentication.

~this week in security~

Show thread

Aubrey Clark 4d ago

@zackwhittaker This reminds me of a friend who tests AI systems for a living. Her job is basically to see whether an AI can be tricked into doing things it wasn't supposed to do.

Is this the same general idea, or is it a completely different kind of vulnerability? 😲

Show thread

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES

@aubreyclark @zackwhittaker

it's really, really stupid

it's based on "AI is magic, yay! just turn it on, no problems, yay!":

"hackers abused a flaw in Meta's chatbot that allowed anyone to reset the password of any account that did not have two-factor authentication switched on. The bug tricked the chatbot into sending a verification code to an email address controlled by the hacker, rather than the account holder's email address on file, simply by asking it. The chatbot complied anyway"