This simultaneously seems like: 1) such an obvious attack vector that it is extreme negligence to not have had planned for appropriate security protections against this, and 2) the most obvious outcome for Meta to be this security lax and stupid. If it doesn't hurt their ad sales, it doesn't matter to Meta.
Instagram auth flow is still hosed as I write this. If I try to sign on via web to my account, which was "recovered" yesterday at least 8 times by me and by hackers, I get the most obnoxious recaptcha treatment I've ever seen with 4-6 different pages of "click the motorcycle" where all 16 squares contain motorcycles, and after I deal with that for several minutes it still just hangs on "we will now redirect you".
This simultaneously seems like: 1) such an obvious attack vector that it is extreme negligence to not have had planned for appropriate security protections against this, and 2) the most obvious outcome for Meta to be this security lax and stupid. If it doesn't hurt their ad sales, it doesn't matter to Meta.
"Hackers"? No. There's no hacking involved. It's literally just politely asking the bot to send you the login link.
Instagram auth flow is still hosed as I write this. If I try to sign on via web to my account, which was "recovered" yesterday at least 8 times by me and by hackers, I get the most obnoxious recaptcha treatment I've ever seen with 4-6 different pages of "click the motorcycle" where all 16 squares contain motorcycles, and after I deal with that for several minutes it still just hangs on "we will now redirect you".