Sid's writeup on a recently patched Instagram/Meta account takeover flow

recovery/support paths can become a zero-auth bypass that nullifies 2FA and revokes legit sessions.

Original source

What it is: Sid's writeup on a recently patched Instagram/Meta account takeover flow.

Gist: attacker allegedly only needed a target username, region-matching IP, and Meta support AI to redirect recovery codes to attacker-controlled email; video selfie checks were reportedly weak enough to bypass with AI-animated public photos.

Newsletter angle: “support AI as auth bypass” / security lesson on high-privilege recovery flows needing stricter invariants than normal login.

Note: fetched article body successfully via web_fetch.