The newest Instagram “exploit” is the goofiest I've seen

Posted by ssiddharth 2 hours ago

The newest Instagram “exploit” is the goofiest I've seen(www.0xsid.com)

365 points | 72 commentspage 2

rd 1 hour ago|

This happened to my instagram yesterday night while I was asleep. I don't have a particularly high value username (it's probably worth somewhere in between $300-500), but still incredibly frustrating to deal with. True to the article, I had already enabled 2FA last night and it didn't matter.

Thankfully, IG gave me the option of restoring my username when I logged back into my account today.

umarcyber 1 hour ago||

I'm sitting here wondering why the Chief Master Sergeant of the U.S. Space Force has an Instagram account to begin with. I understand it's the office itself, but still don't see the reason to expand the attack surface of government offices. X makes sense, Instagram, I'm not so sure as much

ventana 1 hour ago||

I see no difference between X and Instagram in this regard whatsoever.

Think NASA, for example; it's also a government agency, and they are doing great job posting photos in Instagram, do you think anything is wrong with it?

asdff 29 minutes ago||

It is just bizzare when you take a step back and remember the world 20 years ago. NASA would just post directly to their own website. Of course they would. Now imagine you go back in time 20 years ago and say "What if we took all these images you are providing for the public on their dime, compressed the hell out of them, and served them in this for profit proprietary marketing/propaganda app instead?" Engineers in 2006 would have probably looked at you like you had three heads. The question would make no sense back then.

Something to think about when we consider what is "normal" today. Not much really is normal. We've been beaten to think it is.

toast0 1 hour ago|||

Outreach, I'd guess? You've got to do outreach where the people are. X and Instagram have pretty different audiences, but they're both large, so if you're on one you probably should be on both.

mikey_p 41 minutes ago||

Why does X make sense? It makes no sense at all to me. X is the least logical place to put it.

tantalor 1 hour ago||

They're just one tiny step from the AI emailing itself all the account recovery links, and locking out the entire userbase.

It might even do that preemptively if it thinks they're going to shut it down.

coldcode 1 hour ago||

Nothing says you are an advanced stupid company than using AI to implement the stupid. This is security I doubt even a college student would implement. Does Meta have a CSO? The correct answer is they don't, even though some body might occupy the title.

Of course it's always possible that they simply don't care who has your account, as long as they get money.

gaflo 1 hour ago||

Is there any credible primary source for this exploit being real?

throwawaycan 1 hour ago|

https://www.404media.co/hackers-simply-asked-meta-ai-to-give...

r721 1 hour ago||

Related discussion: https://news.ycombinator.com/item?id=48350239

mtoner23 2 hours ago||

wow thats extremely embarassing for meta

bayarearefugee 1 hour ago||

Just another day for Meta in terms of embarrassing outcomes, and yet the company makes hundreds of billions of dollars per year because the only thing that matters anymore is shoving increasingly scammy and worthless ads in front of as many eyeballs as possible, even when the people with those eyeballs can less and less afford to buy anything non-essential.

mikey_p 39 minutes ago|||

I know this is Hacker News and supposed to be serious and all, but do you really think the people running Meta are capable of embarrassment at this point?

jolt42 1 hour ago|||

I suppose you could chalk this up to an oversight. I don't see how Meta gained from this. They've been purposeful about collecting user data and lying about it, eg: 2025 Android Tracking Incident. Shouldn't just be an embarrassment, should be much worse than that.

petesergeant 1 hour ago||

Who specifically do you think is embarrassed there? They’ve got all the cards, they don’t care.

theideaofcoffee 1 hour ago||

What is even the point of having 2FA if it can be so trivially bypassed? Isn't that the whole point that it's sort of a last line of defense? Oftentimes, you can't change simple account settings without having to re-auth and then punch in your code again. Why would something as critical as a suspicious password reset be able to jump ahead of that? Mind boggling. But, I guess that's what happens when you lay off 10% of your people at a time.

king_zee 1 hour ago|

If the LLM has knowledge of something, by design it can't help but divulge it. When will companies learn granting any kind of sensitive information access to an LLM is a moot point

dpoloncsak 1 hour ago|

What part of this article implied the LLM divulged sensitive information to a user? All it did was change your associated email if you impersonated the user

More comments...