Instagram 社工漏洞:仅需用户名即可劫持
为什么值得看
攻击者仅通过目标用户名+同城VPN,利用Instagram客服流程的致命设计缺陷完成账户接管。对AI工程师的警示:再强的算法风控也挡不住故意设计为'人工可过、机器难拦'的社工通道。
编辑判断
这个漏洞的精髓不在技术深度,而在产品设计层面的'逆向筛选'——Meta 的客服系统被刻意设计为对真人宽松、对机器严格,结果恰好被攻击者用最低成本的人类模仿破解。对做 AI 安全产品的团队来说,这是一个经典反面教材:当你用'真人可通过'作为风控底线时,等于告诉攻击者'只需像真人一样便宜即可'。更值得警惕的是,这种模式正在扩散——从银行到云厂商,'找人工客服恢复账户'的通道越来越成为实际上的最高权限后门。如果你在设计身份验证或账户恢复系统,建议重新审视'人工兜底'流程的审计日志和二次校验机制,而不是假设'真人客服=安全'。
社区反馈
负面 206 条评论
核心争论:AI客服自动化是否必然削弱账户安全,以及大厂对安全漏洞的责任态度
>Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control. Dear Instagram, wtf. Why not send the reset to the account in question? Arbitrary email, w
Perhaps the attacker says that they email was also hacked and "this is my new email now". It sounds like this was a result of AI support and not a real person "And if you're part of the A/B tested accounts on which the AI support option is active, tough luck, you can't even turn it off."
wow thats extremely embarassing for meta