Over the past few months, attackers have been talking Meta's new AI support bot into handing over Instagram accounts they didn't own. The attack was almost too simple. Start a normal password reset, open the support chat, tell the bot you're locked out, and ask it to change the recovery email on the account. The bot did exactly that, then sent the one-time code straight to the attacker's inbox.
Two weekends ago Meta pushed an emergency patch after accounts belonging to the Obama White House (now dormant), Sephora, and a senior US Space Force official were taken over. Meta has not said how many accounts were hit.
Confused deputy
The bot appears to have been wired into Meta's account management systems with permission to make changes like email swaps and password resets, but it was not taught to confirm it was talking to the real account owner. Security people have a name for this going back to the 80s -- the 'confused deputy'. A trusted process with real privileges gets tricked into misusing them on someone else's behalf.
Very simply, the bot was argued into doing something its permissions allowed and its judgment should have stopped. Per Brian Krebs, cybersecurity investigative journalist, the attack failed against accounts with multi-factor authentication enabled, including SMS codes. Translation: Go turn on Two-factor Authentication. Now.
What this means if you're putting AI near SQL Server
This is a consumer story, but the lesson lands squarely in our world. As people start wiring AI agents and MCP servers into SQL Server, the account that the AI runs under is the real safety boundary -- not the model's good sense or anyone's assumptions about how it is supposed to work. It MUST be controlled by the account privileges. If you grant an AI principal more than it strictly needs, you're trusting the model to never be argued out of restraint, and Meta just showed us how that goes.
So the takeaway is an old one, only pointed at a new kind of caller. Grant the AI account the minimum it needs, audit what it can touch, and assume it can be talked into anything its permissions allow. And don't ever treat this as a one-time setup. Monitor what your AI and service accounts are doing regularly, the same way you would any other privileged login.
More to Read
Meta's AI support bot happily handed Instagram accounts to hackers (Malwarebytes)
No comments:
Post a Comment