Support as Attack Surface
Meta had a support AI that would swap your linked email on request. The requirements: a username, a VPN near your city, and a chat message claiming the account was hacked.
That's the whole attack, as Sid documented. The AI would send a verification code to whatever email the attacker provided. No check that the email had any prior association with the account. Code comes in, attacker enters it, fresh password reset link issued. The existing 2FA, sessions, and contact details all get replaced in the same transaction. The real owner gets nothing, because the system classified this as a legitimate owner-initiated reset.
Short handles like hey reportedly flipped for large sums. obamawhitehouse got repurposed for propaganda before the patch landed. Meta apparently fixed it, but the method was live for weeks.
The thing worth naming
The obvious framing is that Meta shipped a bad support AI with weak verification. True. But that framing keeps the problem small, implies it's solved by a better selfie check or a stricter geography signal. It isn't.
The deeper issue is that support interactions carry implicit trust by design. When you contact support, the system is structurally disposed to help you. That disposition is the product. Remove it and support stops working for the legitimate users it's meant to serve. The attacker's move isn't to defeat a security check. It's to occupy the trusted channel.
This is why the geography spoofing matters beyond "they should have verified harder." The system used rough location as a trust signal. A VPN defeats it in thirty seconds. But the real problem isn't that the location check was defeatable. It's that any single-factor signal gets treated as sufficient to elevate trust to "can replace all account credentials." One weak gate, then open floor.
The video selfie check Sid mentions had the same structure. It was A/B tested, some users had it active, some didn't. Even where it ran, the AI could be walked past it. The check existed, but the system's baseline posture was still cooperative. When verification is optional or inconsistent, it's a speed bump. The attacker just waits for the lane without the bump.
What the attack surface actually is
Password reset flows get scrutinized. MFA enrollment gets scrutinized. Support channels, historically, get less scrutiny because they're staffed by humans who can exercise judgment. Replace the human with an AI trained on customer service helpfulness and you've kept the implicit trust model while removing the judgment layer.
A human support agent might notice that the incoming request pattern looks odd, that the replacement email is a burner domain, that the account's posting history doesn't match the claimed owner's story. Those are noisy heuristics and humans get them wrong plenty. But they exist. A support AI optimized to resolve tickets quickly has a different objective function.
The A/B test detail is the one that sticks. Some users had the AI channel active without opting in. The attack surface was allocated to them, not chosen. They couldn't know they were exposed to it. The usual advice, "enable strong 2FA, monitor your account," doesn't help when the support path can replace your 2FA without your knowledge.
The pattern is older than AI
None of the mechanics here require a language model. Social engineering through support has worked for decades: call the ISP, claim to be the account holder, social-engineer a password reset from a human agent. What AI support changes is scale and consistency. A human agent might be suspicious on a bad day, might escalate to a supervisor, might just decide something feels wrong. An AI will process the same queue at three in the morning with the same policy. Inconsistency in humans was occasionally a defense. Consistency in AI removes it.
The selfie check getting defeated by an AI is the telling inversion. Meta used an AI to verify the human; the attacker used an AI to defeat the verification. Both sides of that exchange are automated. The human whose account is at stake isn't in the loop at any point.
The attack surface isn't the password reset endpoint. It's the assumption that initiating a support interaction is evidence of legitimacy.