Hacker News 中文摘要

RSS订阅

最新Instagram“漏洞”是我见过最滑稽的 -- The newest Instagram “exploit” is the goofiest I've seen

原文链接 | HN讨论 | 2026-06-02 01:42:07

文章摘要

核心内容: 近日Instagram出现一种低级漏洞,攻击者仅需目标账号用户名,通过VPN伪装地理位置后,向Meta客服AI谎称账号被盗,即可将验证码发送至攻击者控制的邮箱,从而重置密码并完全接管账号(包括奥巴马白宫等知名账号)。整个过程缺乏对邮箱归属的基础验证,堪称"蠢到难以置信"的安全漏洞。

文章总结

标题:最新Instagram漏洞事件:荒诞到令人难以置信

来源:https://www.0xsid.com/blog/meta-account-takeover-fiasco

昨日,包括奥巴马白宫官方账号在内的多个Instagram高知名度账户遭遇入侵。这个被称为"最不严肃"的账户接管方式,其简单程度简直令人啼笑皆非。

入侵流程解析: 1. 伪造地理位置并联系客服 攻击者仅需目标账号用户名,通过VPN伪装成账户所在城市IP(这些信息很容易从公开资料中获取)。随后向Meta客服AI谎称账户被盗,要求将验证码发送到攻击者控制的邮箱。

  1. 简单到荒谬的验证 系统不会验证邮箱是否曾与账户关联。攻击者收到验证码后即可完成验证,获得密码重置权限。更荒诞的是,系统要求的视频自证环节,用目标账户的公开照片就能轻易通过。

安全措施形同虚设: • 双重验证完全失效 • 原用户不会收到任何通知 • 账户关联信息被完全替换 • 部分用户甚至无法关闭该AI客服功能

黑色产业链: 多个Telegram群组提供高价快速"账户接管"服务。短用户名账户价值可达数百万美元,已有账户被转售(如"hey")或用于政治宣传(如美国太空军司令官方账号)。

现状: 虽然Meta已修复该漏洞,但这个存在数周乃至数月的漏洞暴露了严重问题:一家市值1.5万亿美元的公司,其客服AI竟会因简单请求就随意更改账户关联邮箱,这种安全漏洞既可笑又可怕。

(注:编辑过程中删减了部分重复性描述和技术细节,保留了事件关键要素和最具冲击力的事实,同时优化了中文表达方式。)

评论总结

以下是评论内容的总结:

主要观点和论据

1. 对Meta安全漏洞的批评

  • 观点:Meta的AI支持系统存在严重安全漏洞,允许攻击者通过社会工程轻易绕过2FA并控制账户。
  • 论据
    • "Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control." (评论1)
    • "The implications of this are quite unsettling. Meta gave an agent privileged read AND write access to user accounts with no human in the loop?" (评论5)

2. 对2FA无效性的不满

  • 观点:2FA(双因素认证)被轻易绕过,失去了其安全意义。
  • 论据
    • "The simple fact that 2FA can be removed by low level support staff drives me mad. It defeats the whole purpose of the process." (评论6)
    • "What is even the point of having 2FA if it can be so trivially bypassed?" (评论18)

3. 对Meta AI系统的普遍不信任

  • 观点:Meta的AI系统在安全和用户支持方面表现糟糕,缺乏可靠性。
  • 论据
    • "The only thing worse than a naive customer support rep is an even more naive customer support ai." (评论7)
    • "Using AI for both the moderation and the support makes me sick... AI simply isn’t good enough to have full control." (评论24)

4. 对Meta法律责任的质疑

  • 观点:Meta的安全漏洞不仅是技术问题,还应承担法律责任。
  • 论据
    • "How is this 'embarrassing' instead of subject to legal liability?" (评论14)
    • "This is security I doubt even a college student would implement. Does Meta have a CSO?" (评论22)

5. 对Meta商业模式的批评

  • 观点:免费服务模式导致支持资源不足,用户成为牺牲品。
  • 论据
    • "Otherwise the only way to provide these services is to massively underfund support, if you charge 0$ per account and serve 1 Billion users..." (评论21)
    • "Of course it’s always possible that they simply don’t care who has your account, as long as they get money." (评论22)

6. 对报道真实性的质疑

  • 观点:部分评论者认为报道缺乏证据,可能是夸大其词。
  • 论据
    • "Too bad there is 0 proof or anything in the article, so I am very skeptical." (评论20)
    • "Is there any credible primary source for this exploit being real?" (评论17)

关键引用(中英文对照)

  1. 安全漏洞

    • "Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked..." (评论1)
    • "一旦请求看起来来自正确地区,攻击者就告诉Meta支持AI账户被黑..."

  2. 2FA无效

    • "The simple fact that 2FA can be removed by low level support staff drives me mad." (评论6)
    • "2FA能被低级支持人员移除的事实让我发疯。"

  3. AI系统不可靠

    • "Using AI for both the moderation and the support makes me sick." (评论24)
    • "用AI同时做审核和支持让我恶心。"

  4. 法律责任

    • "How is this 'embarrassing' instead of subject to legal liability?" (评论14)
    • "这为什么是‘尴尬’而不是法律责任?"

  5. 商业模式问题

    • "Otherwise the only way to provide these services is to massively underfund support..." (评论21)
    • "否则提供这些服务的唯一方式就是大幅削减支持资源..."

  6. 报道真实性

    • "Too bad there is 0 proof or anything in the article, so I am very skeptical." (评论20)
    • "可惜文章没有任何证据,我非常怀疑。"